# Setting up Encryption Key Per Tenant
> It is possible to use Microsoft Azure Key Vault to encrypt each tenant in your Orchestrator instance with its own unique key. Orchestrator uses the Key Vault to store and manage the keys in a safe manner, ensuring better segregation of your data between tenants.
It is possible to use Microsoft Azure Key Vault to encrypt each tenant in your Orchestrator instance with its own unique key. Orchestrator uses the Key Vault to store and manage the keys in a safe manner, ensuring better segregation of your data between tenants.
Orchestrator installed in either Microsoft Azure or on premises can take advantage of this feature, yet the latter requires you to connect the Orchestrator instance to the internet and Azure Key Vault.
## Overview
Orchestrator authentication is needed to use Azure Key Vault via App Registrations. App Registrations can grant a series of privileges to applications. In our case, Orchestrator is the application, and Azure Key Vault is the targeted privilege.
You first need to configure App Registrations access to Azure Key Vault. Orchestrator authentication with App Registrations is possible using the SSL private key available in Orchestrator Certificate Store and the SSL public key uploaded to App Registrations. After configuring the App Registrations and Key Vault, you need to make some changes to Orchestrator's config file. Once these criteria are met, Orchestrator can use Azure Key Vault to encrypt each tenant.
## Prerequisites
* Your own Microsoft Azure Key Vault
* A clean Orchestrator installation
* A valid SSL certificate for your Orchestrator instance:
+ Private Key Certificate - It needs to be uploaded in **App Services > SSL Settings > Private Key Certificates** and imported on the machine(s) Orchestrator is installed on. Keep in mind that the domain where the certificate was generated and installed has to match the domain of the user under which you run Orchestrator.
+ Public Key Certificate - It needs to be uploaded in **App registrations > Settings > Keys > Public Keys**
* **(Optional)** A self-signed certificate
:::note
Encryption keys must not be edited on the Azure Key Vault side by users, such as enabling/disabling secrets or editing the activation date and expiration date. If a secret is disabled, data stored by Orchestrator for that tenant is no longer decrypted.
:::
## App Registrations Steps
In Azure Portal's **App Registrations** pane, follow these steps:
1. Create a new app registration.
2. Copy the **Application (Client) ID** for later use.
3. Go to **Manage** > **Certificates & Secrets** and upload the public SSL certificate key mentioned in the prerequisite.
4. Copy the **Thumbprint** of this certificate for later use.
## Credential Store Steps
If you run Orchestrator under an Application Pool Identity, take the following steps:
1. Import the SSL private key certificate into the **Local Machine Personal Certificate Store**.
2. Give the Application Pool Identity access to the private key. The following steps explain how to do that.
3. Open **MMC**.
4. Go to **File** > **Add/Remove Snap-in**.
5. Select **Certificates** and click **Add** > **Computer Account** > **Local Computer**.
6. Click **OK**.
7. Navigate to **Certificates (Local Computer)** > **Personal** > **Certificates**, click **Finish**, and then **OK**.
8. In the **MMC**'s main window, right-click the certificate you are interested in, then select **All tasks** > **Manage private key**.
9. Click the **Add** button.
10. In the **Enter the object names to select** field, enter **IIS AppPool\<AppPoolName>**. Example: `IIS AppPool\UiPath Orchestrator`.
11. Grant full control.
If you run Orchestrator under a custom account, take the following step:
1. Import the SSL private key certificate mentioned in the prerequisites into the **Personal Certificate Store** of the user running the Orchestrator process.
If your Orchestrator is an Azure App Service installation, take the following step:
1. Import the SSL private key certificate mentioned in the prerequisites into **Orchestrator App Service** > **SSL Settings** > **Private Key Certificates** .
## Azure Key Vault Steps
In the Azure Key Vault, do the following:
1. Access the **Key Vaults Overview** page and copy the DNS name for later use.
2. Go to the **Key Vaults** page and select **Settings** > **Access policies**.
3. Click **Add access policy**.
4. From the **Configure from template (optional)** drop-down menu, select **Key, Secret, & Certificate Management**.
5. Click **None selected** in the **Authorized application** section to enable the **Select principal** field.
6. Enter the app registration name, confirm that the Application ID is correct, and select this principal.
7. Click **Add**.
## UiPath.Orchestrator.dll.config Steps
Make the following changes to Orchestrator's `UiPath.Orchestrator.dll.config` file:
1. Open the `UiPath.Orchestrator.dll.config` file of your Orchestrator instance.
2. In the `AppSettings` section, do the following:
1. Set the `Database.EnableAutomaticMigrations` parameter to `true`. Otherwise, all subsequent changes to the `UiPath.Orchestrator.dll.config` do not take effect.
2. Set `EncryptionKeyPerTenant.Enabled` to `true`.
3. Set `EncryptionKeyPerTenant.KeyProvider` to `AzureKeyVault`.
4. For Orchestrator using Application Pool Identity, set `CertificatesStoreLocation` to `LocalMachine`.
3. In the `secureAppSettings` section, do the following:
1. Remove or comment out the `EncryptionKey` key.
2. Copy the **Input Application (Client) ID** from the **App Registrations** page and provide it as a value for the `Azure.KeyVault.ClientId` parameter. Example: ``.
3. Copy the **Directory (tenant) ID** of your organization from the **App Registrations** page and provide it as a value for the `Azure.KeyVault.DirectoryId` parameter. Example: ``.
4. Copy the **Thumbprint** from the **App Registrations** page and provide it as a value for the `Azure.KeyVault.CertificateThumbprint` parameter. Example: ``.
5. Copy the **DNS Name** from the **Key Vaults Overview** page and provide it as a value for the `Azure.KeyVault.VaultAddress` parameter. Example: ``.