Encryption in Indicium
Storing encryption keys
In some cases, Indicium needs access to a secure location for storing encryption keys:
- when using the Encrypt and Decrypt process actions
- when scaling to multiple Indicium instances.
It is very important to back up these keys. If you lose these keys, the encrypted data in the database can no longer be used and cannot be recovered in any way.
The Thinkwise platform has several options to setup the storage of the encryption keys:
- Store encryption keys on Azure.
- Store encryption keys on-premise.
- Store encryption keys on-premise with Azure Key Vault.
- Store encryption keys on AWS.
If this setup has not been performed, calling the Encrypt and Decrypt process actions in your application results in an error.
Store encryption keys on Azure
When using Indicium on Azure, the encryption keys must be stored in a Key Vault:
-
Create a Key Vault on the Azure Portal.
-
Add an "Access Policy" to it to allow the Indicium instance Web App access.
-
Select the Identity menu in the Indicium Web App.
-
Check whether the Identity setting System Assigned is enabled.
-
In the Key Vault, select +Add Access Policy from the Access Policy menu on the left-hand side.
-
In the Secret permissions field, select the "Get", "List", and "Set" permissions.
-
In the Select principal field, select your Indicium Web App.
-
Click Add. You are automatically returned to the Access Policy screen.
-
Click Save to save the new access policy.
Add access policy
To use the newly created Key Vault, you must set the KeyVaultSecretUrl setting in the Indicium Web App.
In the appsettings.json configuration file, this KeyVaultSecretUrl setting can be configured directly:
"DataProtectionSettings": {
"AzureKeyVault": {
"KeyVaultSecretUrl": "<key vault secret url>"
}
}
Alternatively, you can store this setting in the App Service:
-
In the App Service, select Settings > Configuration from the menu.
-
Add the following Application settings:
Name: DataProtectionSettings:AzureKeyVault:KeyVaultSecretUrl
Value: https://<name-of-the-key-vault>.vault.azure.net/secrets/<secret-name>
When the Key Vault url is configured, Indicium will automatically create a key. Every 90 days, Indicium creates a new version within this key.
Do not delete old versions! When deleting old versions, Indicium cannot decrypt the old data.
Store encryption keys on-premise
When using an on-premise server:
- Store the encryption keys in a safe location. If you lose the keys, the encrypted data becomes useless.
- Make regular backups of the encryption keys.
In the appsettings.json configuration file, you can configure the location directly:
"DataProtectionSettings": {
"LocalFileSystem": {
"StorageLocation": "D:\\iis-dataprotection\\indicium-keys",
}
}
Store encryption keys on-premise with Azure Key Vault
You can also use on-premise with Azure Key Vault. This consists of:
- Create a new "App registration" in the Azure portal.
- Create an Azure Key Vault.
- Configure some settings in the
appsettings.jsonconfiguration file.
- In Azure Active Directory, select App registrations to create the registration.
After creating the registration, you can find the Application (client) ID and the Tenant id in the Overview menu. These IDs will be used later.
-
From the Certificates & secrets menu, add a new "Client secret".
-
Copy or make a note of the secret value (not the secret id), this value is used in the last step.
-
Create a Key Vault from the Azure Portal.
-
Add an "Access Policy" to it to allow the Indicium instance Web App access.
-
In the Key Vault, select +Add Access Policy from the Access Policy menu on the left-hand side.
-
In the Secret permissions field, select the "Get", "List", and "Set" permissions.
-
In the Select principal field, select the "App registration" you created in the first step.
-
Click Add. You are automatically returned to the Access Policy screen.
-
Click Save to save the new access policy.
-
To use the newly created Key Vault, add the following section to the
appsettings.jsonconfiguration file, and specify the values for TenantId, ClientId, and ClientSecret.
"DataProtectionSettings": {
"AzureKeyVault": {
"TenantId": "<tenant id>",
"ClientId": "<client id>",
"ClientSecret": "<tenant id value>",
"KeyVaultSecretUrl": "<key vault secret url>"
}
}
Store encryption keys on AWS
When using Indicium on AWS, encryption keys must be saved in the AWS Secrets Manager.
To give the Elastic BeanStalk EC2 instance access to the Secrets Manager:
-
In your Elastic Beanstalk EC2 instance, select the Security tab.
-
Click the Identity and Access Management (IAM) link.
-
Click Add permissions.
-
Click Create inline policy.
-
In the JSON tab, paste the JSON code fragment below.
-
Click Save to save the new policy. Indicium can now access the AWS Secrets manager.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:CreateSecret"
],
"Resource": "arn:aws:secretsmanager:<region>:<account-id>:secret:<secret-prefix>-*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "secretsmanager:ListSecrets",
"Resource": "*"
}
]
}
In the above JSON code fragment:
- Replace
regionwith, for example, “eu-west-1”. - Replace
account-idwith your account number. - Replace
secret-prefixwith the prefix you want your encryption keys in the Secrets Manager to be named.
For example, if your prefix is “indicium/dataprotection-test”, you should give access to “indicium/dataprotection-test-*” with the wildcard character.
- In the
appsettings.jsonconfiguration file, add the following code:
"DataProtectionSettings": {
"AwsSecretManager": {
"SecretPrefix": "indicium/dataprotection-test"
}
}
Indicium will automatically add a new key with the configured prefix every 90 days.
Do not delete old keys! When deleting old keys, Indicium cannot decrypt the old data.