Skip to main content

Encryption in AWS

Introduction to encryption

In some cases, Indicium needs access to a secure location for storing encryption keys:

  • When encrypting key values such as passwords, client secrets or API keys.
  • When using the Encrypt and Decrypt process actions.
  • When scaling to multiple Indicium instances.
warning

It is very important to back up these keys. If you lose these keys, the encrypted data in the database can no longer be used and cannot be recovered in any way.

Without this setup, calling the Encrypt and Decrypt process actions in your application will result in an error.

This manual describes how to centralize the storage of this certificate in AWS.

Store encryption keys on AWS

When using Indicium on AWS, encryption keys must be saved in the AWS Secrets Manager.

To give the Elastic BeanStalk EC2 instance access to the Secrets Manager:

  1. In your Elastic Beanstalk EC2 instance, select the Security tab.

  2. Click the Identity and Access Management (IAM) link.

  3. Click Add permissions.

  4. Click Create inline policy.

  5. In the JSON tab, paste the JSON code fragment below.

  6. Click Save to save the new policy. Indicium can now access the AWS Secrets manager.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "secretsmanager:CreateSecret"
            ],
            "Resource": "arn:aws:secretsmanager:<region>:<account-id>:secret:<secret-prefix>-*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "secretsmanager:ListSecrets",
            "Resource": "*"
        }
    ]
}

In the above JSON code fragment:

  • Replace region with, for example, “eu-west-1”.
  • Replace account-id with your account number.
  • Replace secret-prefix with the prefix you want your encryption keys in the Secrets Manager to be named.

For example, if your prefix is “indicium/dataprotection-test”, you should give access to “indicium/dataprotection-test-*” with the wildcard character.

  1. In the appsettings.json configuration file, add the following code:
  "DataProtectionSettings": {
    "AwsSecretManager": {
      "SecretPrefix": "indicium/dataprotection-test"
    }
  }

Indicium will automatically add a new key with the configured prefix every 90 days.

warning

Do not delete old keys! When deleting old keys, Indicium cannot decrypt the old data.

Was this article helpful?