Skip to main content
Version: 2026.1.13

Encryption in AWS

In some cases, Indicium needs access to a secure location for storing encryption keys:

  • When encrypting key values such as passwords, client secrets or API keys.
  • When using the Encrypt and Decrypt process actions. If you have not set up encryption keys, these process actions will not work and will result in an error.
  • When scaling to multiple Indicium instances.
warning

Store encryption keys in a safe location and ensure that your encryption keys are backed up. If you lose these keys, the encrypted data in the database can no longer be used or recovered. This means the encrypted data is permanently lost.

Store encryption keys on AWS

If you are using Indicium on AWS, you can store your encryption keys in the AWS Secrets Manager.

To store encryption keys on AWS:

  • Give the Elastic BeanStalk EC2 instance access to the Secrets Manager
  • Configure the appsettings.json file.

To give an Elastic BeanStalk EC2 instance access to the Secrets Manager:

  1. In your Elastic Beanstalk EC2 instance, select the Security tab.

  2. Click the Identity and Access Management (IAM) link.

  3. Click Add permissions.

  4. Click Create inline policy.

  5. In the JSON tab, paste the JSON code fragment below.

  6. Click Save to save the new policy. Indicium can now access the AWS Secrets manager.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "secretsmanager:CreateSecret"
            ],
            "Resource": "arn:aws:secretsmanager:<region>:<account-id>:secret:<secret-prefix>-*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "secretsmanager:ListSecrets",
            "Resource": "*"
        }
    ]
}

In the above JSON code fragment:

  • Replace region with, for example, “eu-west-1”.
  • Replace account-id with your account number.
  • Replace secret-prefix with the prefix you want your encryption keys in the Secrets Manager to be named.

For example, if your prefix is “indicium/dataprotection-test”, you should give access to “indicium/dataprotection-test-*” with the wildcard character.

  1. In the appsettings.json configuration file, add the following code:
{
  "DataSecuritySettings": {
    "Storage": {
      "Mode": "Aws"
    },

    "DataProtection": {
      "EncryptionKey": {
        "Name": "DataProtectionKeyName"
      }
    }
  }
}

Indicium will automatically add a new key with the configured prefix every 90 days.

warning

Do not delete old keys. If you delete old keys, Indicium cannot decrypt the old data in the database, which means that this data is permanently lost.

Was this article helpful?