Skip to main content
Version: 2024

Encryption in Azure

Introduction to encryption

In some cases, Indicium needs access to a secure location for storing encryption keys:

  • When encrypting key values such as passwords, client secrets or API keys.
  • When using the Encrypt and Decrypt process actions.
  • When scaling to multiple Indicium instances.

It is very important to back up these keys. If you lose these keys, the encrypted data in the database can no longer be used and cannot be recovered in any way.

Without this setup, calling the Encrypt and Decrypt process actions in your application will result in an error.

This manual describes how to centralize the storage of this certificate in Azure.

Create a Key Vault for encryption

When using Indicium on Azure, the encryption keys must be stored in a Key Vault:

  1. Create a Key Vault on the Azure Portal.

  2. Add an "Access Policy" to it to allow the Indicium instance Web App access.

  3. Select the Identity menu in the Indicium Web App.

  4. Check whether the Identity setting System Assigned is enabled.

  5. In the Key Vault, select +Add Access Policy from the Access Policy menu on the left-hand side.

  6. In the Secret permissions field, select the "Get", "List", and "Set" permissions.

  7. In the Select principal field, select your Indicium Web App.

  8. Click Add. You are automatically returned to the Access Policy screen.

  9. Click Save to save the new access policy.

Add access policyAdd access policy

Add encryption settings to Indicium

To use the newly created Key Vault, you must set the KeyVaultSecretUrl setting in the Indicium Web App.

In the appsettings.json configuration file, this KeyVaultSecretUrl setting can be configured directly:

  "DataProtectionSettings": {
"AzureKeyVault": {
"KeyVaultSecretUrl": "<key vault secret url>"

Alternatively, you can store this setting in the App Service:

  1. In the App Service, select Settings > Configuration from the menu.

  2. Add the following Application settings:

Name: DataProtectionSettings:AzureKeyVault:KeyVaultSecretUrl

Value: https://<name-of-the-key-vault><secret-name>

When the Key Vault url is configured, Indicium will automatically create a key. Every 90 days, Indicium creates a new version within this key.


Do not delete old versions! When deleting old versions, Indicium cannot decrypt the old data.

Was this page helpful?