Encryption on-premise
Introduction to encryption
In some cases, Indicium needs access to a secure location for storing encryption keys:
- When encrypting key values such as passwords, client secrets or API keys.
- When using the Encrypt and Decrypt process actions.
- When scaling to multiple Indicium instances.
It is very important to back up these keys. If you lose these keys, the encrypted data in the database can no longer be used and cannot be recovered in any way.
Without this setup, calling the Encrypt and Decrypt process actions in your application will result in an error.
Store encryption keys on-premise
When using an on-premise server:
- Store the encryption keys in a safe location. If you lose the keys, the encrypted data becomes useless.
- Make regular backups of the encryption keys.
In the appsettings.json configuration file, you can configure the location directly:
"DataProtectionSettings": {
"LocalFileSystem": {
"StorageLocation": "D:\\iis-dataprotection\\indicium-keys",
}
}
Store encryption keys on-premise with Azure Key Vault
You can also use on-premise with Azure Key Vault. This consists of:
- Create a new "App registration" in the Azure portal.
- Create an Azure Key Vault.
- Configure some settings in the
appsettings.json
configuration file.
- In Azure Active Directory, select App registrations to create the registration.
After creating the registration, you can find the Application (client) ID and the Tenant id in the Overview menu. These IDs will be used later.
-
From the Certificates & secrets menu, add a new "Client secret".
-
Copy or make a note of the secret value (not the secret id), this value is used in the last step.
-
Create a Key Vault from the Azure Portal.
-
Add an "Access Policy" to it to allow the Indicium instance Web App access.
-
In the Key Vault, select +Add Access Policy from the Access Policy menu on the left-hand side.
-
In the Secret permissions field, select the "Get", "List", and "Set" permissions.
-
In the Select principal field, select the "App registration" you created in the first step.
-
Click Add. You are automatically returned to the Access Policy screen.
-
Click Save to save the new access policy.
-
To use the newly created Key Vault, add the following section to the
appsettings.json
configuration file, and specify the values for TenantId, ClientId, and ClientSecret.
"DataProtectionSettings": {
"AzureKeyVault": {
"TenantId": "<tenant id>",
"ClientId": "<client id>",
"ClientSecret": "<tenant id value>",
"KeyVaultSecretUrl": "<key vault secret url>"
}
}