Skip to main content
Version: 2026.1.14

Encryption on-premise

In some cases, Indicium needs access to a secure location for storing encryption keys:

  • When encrypting key values such as passwords, client secrets or API keys.
  • When using the Encrypt and Decrypt process actions. If you have not set up encryption keys, these process actions will not work and will result in an error.
  • When scaling to multiple Indicium instances.
warning

Store encryption keys in a safe location and ensure that your encryption keys are backed up. If you lose these keys, the encrypted data in the database can no longer be used or recovered. This means the encrypted data is permanently lost.

Store encryption keys on-premise

You can store encryption keys on-premise in a local file system. Once you have created a folder, add the location to the appsettings.json configuration file.

"DataSecuritySettings": {
  "Storage": {
    "Mode": "LocalSystem",
    "LocalSystem": {
      "StorageLocation": "<PathToStorageLocation>"
         }
      },
  "DataProtection": {
    "Active": true,
    "EncryptionKey": {
      "Name": "thinkwise--data-protection-encryption-key"
         }
  }
}

Store encryption keys on-premise with Azure Key Vault

You can use Azure Key Vault to store and manage encryption keys on-premise in a secure and centralized location.

To store encryption keys on-premise with Azure Key Vault:

  • Create a new App registration in the Azure portal.
  • Create an Azure Key Vault.
  • Configure the appsettings.json file.
  1. In Azure Active Directory, select App registrations to create the registration.

After creating the registration, you can find the Application (client) ID and the Tenant id in the Overview menu. These IDs will be used later.

  1. From the Certificates & secrets menu, add a new "Client secret".

  2. Copy or make a note of the secret value (not the secret id), this value is used in the last step.

  3. Create a Key Vault from the Azure Portal.

  4. Add an "Access Policy" to it to allow the Indicium instance Web App access.

  5. In the Key Vault, select +Add Access Policy from the Access Policy menu on the left-hand side.

  6. In the Secret permissions field, select the "Get", "List", and "Set" permissions.

  7. In the Select principal field, select the "App registration" you created in the first step.

  8. Click Add. You are automatically returned to the Access Policy screen.

  9. Click Save to save the new access policy.

  10. To use the newly created Key Vault, add the following section to the appsettings.json configuration file, and specify the values for TenantId, ClientId, and ClientSecret. Leave these values blank if you are using a managed identity instead of an app registration.

"DataSecuritySettings": {
  "Storage": {
    "Mode": "Azure",
    "Azure": {
      "TenantId": "<Optional. Leave blank for managed identity>",
      "ClientId": "<Optional. Leave blank for managed identity>",
      "ClientSecret": "<Optional. Leave blank for managed identity>",
        "KeyVault": {
           "Url": "https://<vault>.vault.azure.net"
        }
    }
  }
}
Was this article helpful?