Scanner Security Guide

The NopeSight Scanner Agent is designed with a security-first approach to ensure that your credentials and data are protected throughout the discovery process. This guide explains the key security mechanisms related to credential storage and communication with the central NopeSight platform.

Secure Credential Storage

A core security principle of the scanner is that the credentials you provide for discovery never leave the scanner machine.

How Credentials Are Stored

Local Storage: All credentials you enter into the scanner's GUI are stored in an encrypted file locally on the machine where the scanner is running.
- Windows Location: C:\ProgramData\NopesightScanner\credentials.enc
Strong Encryption: The credentials.enc file is not plain text. It is encrypted using the Fernet symmetric encryption algorithm (AES-128-CBC).
Unique Encryption Key: The key used to encrypt and decrypt the credentials file is also generated and stored locally in a separate key.enc file. This key is unique to your scanner installation.

How Credentials Are Used

When a scan is initiated, the scanner reads the encrypted credentials.enc file.
It decrypts the necessary credentials into the application's memory.
It uses the in-memory credentials to authenticate to a target device (e.g., to connect via WMI or SSH).
At no point are these credentials written to log files in plain text or transmitted over the network to the NopeSight platform.

This architecture ensures that your sensitive credentials for target systems remain entirely within your control and on your local network.

Secure Server-Scanner Communication

The scanner communicates with the central NopeSight platform for two purposes: uploading scan results and real-time management. Both channels are secured and encrypted.

1. Uploading Scan Results (HTTPS)

What is Sent: The scanner only sends the results of a discovery scan to the NopeSight platform. This is the data it discovered about your systems (e.g., hardware model, installed software, IP addresses), not the credentials used to find that data.
How it is Sent: Scan results are sent from the scanner to the NopeSight API endpoint over HTTPS (TCP Port 443). This ensures that all discovery data is encrypted in transit using TLS 1.2 or higher. SSL certificate verification is enabled by default to prevent man-in-the-middle attacks.

2. Real-Time Communication (WebSocket)

The scanner maintains a persistent connection to the platform for real-time management and control.

Purpose: To provide status updates (Online, Offline, Scanning) and to allow administrators to manage the scanner remotely from the NopeSight platform UI.
How it is Secured: This connection is made using WebSocket Secure (WSS), which is a WebSocket connection tunneled over an encrypted TLS channel (on port 443).
Authentication: The WebSocket connection is authenticated using the API Token (Discovery Token) you configured in the Integrations tab. It does not use or transmit any of the target system credentials (like WMI or SSH passwords).

Remote Management Capabilities

Through the secure WebSocket connection, administrators on the NopeSight platform can perform the following remote actions:

Monitor Agent Status: View real-time health, connectivity, and system metrics (CPU, memory) of the scanner machine.
Trigger Scans: Initiate on-demand scans for specific IP ranges without needing to access the scanner machine directly.
Update Schedules: Modify, add, or remove scanning schedules.
View Configuration: Check the current agent settings and capabilities.

Secure Credential Storage​

How Credentials Are Stored​

How Credentials Are Used​

Secure Server-Scanner Communication​

1. Uploading Scan Results (HTTPS)​

2. Real-Time Communication (WebSocket)​

Remote Management Capabilities​