Subscribe

UiPath Orchestrator

The UiPath Orchestrator Guide

Setting up Encryption Key per Tenant

It is possible to use Microsoft Azure Key Vault to encrypt each tenant in your Orchestrator instance with its own unique key. Orchestrator uses the Key Vault to store the keys safely, as well as to manage them, adding better segregation of your data between tenants.

Orchestrator can be installed in both Microsoft Azure or on-premises to take advantage of this feature. Yet, the latter requires you to connect the Orchestrator instance to the internet and Azure Key Vault.

Prerequisites


  1. Your own Microsoft Azure Key Vault
  2. A clean Orchestrator installation
  3. A valid SSL certificate for your Orchestrator instance:
    • Private Key Certificate - It needs to be uploaded in App Services > SSL Settings > Private Key Certificates and it needs to be imported on the machine(s) Orchestrator is installed on (the domain where the certificate was generated and installed has to match the domain of the user you run Orchestrator under)
    • Public Key Certificate - It needs to be uploaded in App registration > Settings > Keys > Public Keys

📘

Important!

Encryption keys must not be edited on the Azure Key Vault side by users, such as enabling/disabling secrets or editing the activation date and expiration date. If a secret is disabled, data stored by Orchestrator for that tenant is no longer decrypted.

Setting Up the Connection Between Your Azure Key Vault and Orchestrator Instances


  1. Open the UiPath.Orchestrator.dll.config file of your Orchestrator instance.
  2. Make sure that the Database.EnableAutomaticMigrations parameter is set to true. Otherwise, all subsequent changes to the UiPath.Orchestrator.dll.config file do not take effect.
  3. Set EncryptionKeyPerTenant.Enabled to true.
  4. Set EncryptionKeyPerTenant.KeyProvider to AzureKeyVault.
  5. In Azure, in App Registrations, search for your Orchestrator instance and select it.
  6. Copy the Application ID and provide it as a value for the Azure.KeyVault.ClientId UiPath.Orchestrator.dll.config`` parameter, in the secureAppSettingssection. Example:`.
  1. Look for your private certificate for your Orchestrator instance in App Services > SSL Settings > Private Certificates. (If your Orchestrator is on-premise, look for the certificate locally.)

Certificate Store

Current User
The certificate was installed for a user account (Personal > Certificates).

Works by default as Orchestrator looks for certificates in the Current User store, unless specified otherwise using the CertificatesStoreLocation parameter.

Local Machine
The certificate was installed on the local machine certificate store.

Specify the LocalMachine certificate store in UiPath.Orchestrator.dll.config, using the CertificatesStoreLocation parameter.

  1. Look for your public certificate for your Orchestrator instance in App registration > Settings > Keys > Public Keys.
  2. Copy the Thumbprint and provide it as a value for the Azure.KeyVault.CertificateThumbprint parameter, in the secureAppSettings section. Example: <add key="Azure.KeyVault.CertificateThumbprint" value="1234123412341234123412341234124312341234" />.
  3. In Azure, search for your key vault and select it. Information about it is displayed in a separate panel.
  4. Copy the DNS Name and provide it as a value for the Azure.KeyVault.VaultAddress parameter, in the secureAppSettings section. Example: <add key="Azure.KeyVault.VaultAddress" value="https://CustomVaultName.vault.azure.net/" />.
  5. Give all key, secret, and certificate permissions to Orchestrator in your vault by adding the principal (registered app) it belongs to in the Access policies section.

Updated about a month ago


Setting up Encryption Key per Tenant


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.