Secure key management is essential to protect data in the cloud. Use Azure Key Vault to encrypt keys and small secrets like passwords and share it securely to the application with Zero trust.

Create Key Vault

• Select the option ‘Create a resource’ from Azure home page

• Search for the resource type ‘Key vault’ in Azure Marketplace and select the service ‘Key Vault by Microsoft’ from the results

• Click on ‘Create’

• In Basics tab, select the same Subscription, Resource Group and Region as the pre-existing Inforiver deployment and give a valid name for key vault

• Under Access policy tab, you could either choose ‘Vault access policy’ or ‘Azure RBAC’ as permission model. In this guide we are going with ‘Vault access policy’ and make sure you have proper rights under ‘Access policies’

• In Networking, Uncheck the option ‘Enable public access’ and create a private endpoint in the ‘private’ subnet of the Inforiver VNet with private DNS Zone enabled

• Validate everything and click on Create

• Once completed, you should see 3 new resources added to the Inforiver Resource group

Configure Key Vault

• From Inforiver App service, enable ‘System assigned managed Identity’ and save. Copy the created object ID, this will be used to assign permissions on Key vault to get secrets

• From Key Vault, Create a new access policy

• Under ‘Permissions’ tab, select ‘Secret Management’ as template and choose only ‘List’ and ‘Get’ in ‘Secret permissions’

• Under Principal tab, search using the copied object ID and select the listed principal

• Validate everything and create

• Enable Public access for Key vault temporarily to create secrets

• From App service configuration page, copy each confidential environment variable’s name and value then create them as secrets in Key vault

• Key vault secret names cannot contain special characters, so you need to remove the underscores in the name. For example: ‘SMTP_API_KEY’ will need to be changed into ‘SMTPAPIKEY’

• We recommend creating these listed secrets in Key vault

Configure App Service

• Once you have created (copied from app service) all the secrets, you need to change the app configuration values to reference the key vault secrets instead of direct plain text passwords. Reference example: @Microsoft.KeyVault(SecretUri=https://.vault.azure.net/secrets//)

• Editing App Service Environment values

• Making sure that every secret is updated with key vault reference and then click on Save

• Please note that clicking on ‘Continue’ here will restart the app service

• Check if the app restart is successful and you can login to Inforiver

• Finally, disable the ‘Public access’ in Key vault and restart the app service once again to validate if the app service could connect to it using private endpoint

• Validate in Inforiver management portal, metrics tab that everything works and green.