It is possible to use Microsoft Azure Key Vault to encrypt each tenant in your Orchestrator instance with its own unique key. The Key Vault is used by Orchestrator to store the keys in a safe manner, as well as to manage them, adding a better segregation of data between tenants.
Orchestrator has to be installed in either Microsoft Azure or on-premise in order to take advantage of this feature, yet the latter requires you to connect the Orchestrator instance to the internet and Azure Key Vault.
- Your own Microsoft Azure Key Vault
- A clean Orchestrator installation
- A valid SSL certificate for your Orchestrator instance:
- Private - It needs to be uploaded in App Services > SSL Settings > Private Certificates and it needs to be imported on the machine(s) Orchestrator is installed on (the domain where the certificate was generated and installed has to match the domain of the user you run Orchestrator under)
- Public - It needs to be uploaded in App registration > Settings > Keys > Public Keys
Encryption keys must not be edited on the Azure Key Vault side by users, such as enabling/disabling secrets or editing the activation and expiration dates. If a secret is disabled, data stored by Orchestrator for that tenant can no longer be decrypted.
To set up the connection between your Azure Key Vault and Orchestrator instances, follow these steps:
- Open the
web.configfile of your Orchestrator instance.
- Make sure that the
Database.EnableAutomaticMigrationsparameter is set to
true. Otherwise, all subsequent changes to the
web.configfile do not take effect.
- In Azure, in App Registrations, search for your Orchestrator instance and select it.
- Copy the Application ID and provide it as a value for the
web.configparameter, in the
<add key="Azure.KeyVault.ClientId" value="ae11aa1a-1234-1234-a123-a12a12aaa1aa" />.
- a. Look for the private certificate of your Orchestrator instance in App Services > SSL Settings > Private Certificates. (If your Orchestrator is on-premise, look for the certificate locally.)
b. Look for the public certificate of your Orchestrator instance in App registration > Settings > Keys > Public Keys.
- Copy the Thumbprint and provide it as a value for the
Azure.KeyVault.CertificateThumbprintparameter, in the
<add key="Azure.KeyVault.CertificateThumbprint" value="1234123412341234123412341234124312341234" />.
- In Azure, search for your key vault and select it. Information pertaining to it is displayed in a separate panel.
- Copy the DNS Name and provide it as a value for the
Azure.KeyVault.VaultAddressparameter, in the
<add key="Azure.KeyVault.VaultAddress" value="https://CustomVaultName.vault.azure.net/" />.
- In the Access policies section, add the principal (registered app) Orchestrator belongs to, and grant all key, secret, and certificate permissions to Orchestrator in your vault.