Extension: Azure KeyVault Setup - quandis/qbo3-Documentation GitHub Wiki

Initial Setup

Create a KeyVault using the Azure Portal interface:

  1. Create a new resource
  2. Select Key Vault
  3. Fill out desired details and Create

Create a key to be used with IEncryption / qbo.Encryption.Azure:

  1. Navigate to the Key Vault that was created
  2. Select Keys
  3. Hit Generate/Import
  4. Ensure Generate is selected on the drop down, RSA Key Type is selected, and other details are filled out
  5. Create
  6. Select your new key, click the current version and find the field Key Identifier. This string is how we will be able to reference the key in code

Configuring Azure connectivity

We want to take advantage of managed identities for Azure resources, so we can connect to our KeyVault and other resources from our code running on an Azure virtual machine.

This document describes Managed identities in detail.

Enable the managed identity for an Azure VM:

  1. Select Identity when viewing the resource
  2. Hit system assigned
  3. Switch Status to on.

We now need to give permissions to our VM/Application

Add Access policy on the Key Vault:

  1. Select Access policies on the resource
  2. Add new
  3. Select principal, type in the name of the VM resource, and select it
  4. Ensure the desired permissions are selected. For IEncryption / qbo.Encryption.Azure purposes we need Decrypt and Get under Key permissions.
  5. Do NOT change Authorized application (leave it as None selected). Hit OK.
  6. The access policy should now be shown in the list.
  7. Hit Save.

Configure QBO

Now we need to set up the website to use qbo.Encryption.Azure with our new Key in the Key Vault.

EncryptionKeys.Config

Using EncryptionKeys.Base.Config, create a new EncryptionKeys.Config by adding a new child of Keys as

<EncryptionKey Name="Unique Key Name" KeyUri="Complete url to new key" Type=" 'Class, assembly' like: qbo.Encryption.Azure.KvEncryptionKey, qbo.Encryption.Azure">

SystemDefault addition

Create a system default to override qbo.Application.Properties.Settings.Default.DefaultEncryptionKey and set it to the unique key name of the new EncryptionKey in EncryptionKeys.Config.

Verification

When the previous steps have been taken on an environment, credentials should now be making use of your new EncryptionKey. When the application uses its credentials, it will recognize we have an EncryptionKey set up and make use of it.