Protect the Tenant database with Azure Key Vault

Identify Configurator stores tenant configurations in the IdentityTenant database that may contain credentials used when upgrading or replicating tenants. In addition to other database encryption methods, we provide an option to use Azure Key Vault encryption keys to encrypt all credentials information. You can select one or more methods to apply to your Identify deployment. The advantage of this option is that because only credentials are encrypted, you can , for example, to attach configuration data in support tickets, without leaking credentials.

Set up an encryption key in the Azure Key Vault

To protect the Tenant database, you need to have an RSA or RSA-HSM key for encryption. You can use the Azure Portal or Azure CLI to generate or import a Key to your Azure Key Vault.

Assuming that you have an encryption key ready, you now need to set up an access policy to allow the Identify Configurator to use the key for encryption operations. Supported authentication methods are:

Authentication with Managed Identity

When running the Configurator on an Azure Virtual Machine, you can use a Managed Identity to authenticate keys in the Azure Key Vault. To do this, you need to set up a Managed Identity and assign it to your target Azure Key Vault:

Note that you must select the "Get", "Encrypt" and "Decrypt" permissions for your Managed Identity.

You then need to assign (using either "System assigned" or "User assigned") the Managed Identity to your target Azure Virtual Machine:

Authentication with Azure CLI

Instead of using a Managed Identity, you can use the Azure CLI to authenticate the server (on-premise servers are fine) in the Azure Key Vault. To do this, you need to assign a user account to access the Azure Key Vault on the Access policies tab:

Note that you must select the "Get", "Encrypt" and "Decrypt" permissions for your user.

Use the Azure CLI to log in with the above user account. After finishing the login, the Azure CLI will save a special key in your user profile's environment variables. As a result, all applications that run as your user account on that server will have access the Azure Key Vault encryption key.

Use the Configurator's Configure Encryption Key feature

Some important notes to keep in mind before using an Azure Key Vault encryption key to encrypt all sensitive data in the Tenant database:

1. This action will change data in the Tenant database, so we strongly recommend that you back up the database before continuing.
2. On a replicating machine, you need to perform the same steps to grant access for the machine to the Azure Key Vault encryption key. However, you don't need to perform the Configure Encryption Key action again.
3. All your tenants in the Tenant database need to be upgraded to version 5.11 or newer.

Once the encryption key is ready, you can use it to encrypt all sensitive information in the Tenant database as follow:

1. Choose the Configure Encryption Key feature from the Select action tab

2. The Configure Encryption Key wizard displays. It will show a warning before running this process.

3. Enter Azure Key Vault settings

Besides the Azure Key Vault URL and Key name, the Configurator will also ask you to provide a Recovery password, which you can use in case the Configurator cannot access the encryption key anymore.

If the Configurator cannot access the configured encryption key, it will ask you to provide the recovery password at the Tenant database step:

You can enter the recovery password and continue using the Configurator. You can also then use the Configure encryption key to configure a new valid encryption key.

4. Execute the process

Click the Next button to run the encryption process.

Now, all sensitive information in your Tenant database is encrypted.