Knowledge: Using Key Vault in AzureAD to store Sysero DataRoom Encryption Key for Text Fields
Back
Knowledge
Title*Using Key Vault in AzureAD to store Sysero DataRoom Encryption Key for Text Fields
ManualAdministration
Manual Level TwoIntegrations
Manual Level ThreeOffice365
Created15/10/2021
DetailVault Key Secrets are used for encrypting Data Rooms. it is so that people can store their own encryption key, that only their users have access to.
Note only TextField types in Sysero can be encrypted and this is on case by case basis in form field settings.
Office365 (Azure Active Directory) App Registration Settings
Pre-requisit to this setup is that Setting up OAuth Authentication from Office365 / AzureAD to Sysero has already been completed.
- Open the App Registration called something like Sysero (User Delegated).
- In Authentication check Access tokens (used for implicit flows).
- In Certificates and Secrets, add a secret and copy the value.
- Add the following API Permissions:
- Azure Key Vault > user_impersonation > User Delegated (Grant Admin Consent).
Office365 (Azure Active Directory) Key Vault Settings
Setup key vault:
- Go to Azure Key Vaults.
- Create Key Vault if required.
- Add secret to Key Vault.
- Copy Vault URI (Endpoint), Secret Name and Secret Version.
Sysero OAuth Configuration
Go to Sysero > System Admin > OAuth Settings:
- Set Token Mode Office365 to OpenID and User Access Token.
- Set OAuth Secret Office365 (User Delegated).
Sysero Key Vault Settings
These are set on a per Data Room basis and same key can be used. Please note if this key is lost there is no way Sysero can help you decrypt the data, it is lost forever. To configure:
- Go to Sysero > Admin > Data Rooms > Data Room > Advanced Settings > Encryption and set:
- Endpoint.
- Secret Name.
- Secret Version.
- Go to Feature Settings and enable OAuth: Validate Office365 token on access.
- For any fields that require vault key encryption, edit the field using forms editor and set in Text Field settings Encrypted to users with vault key access (no impersonation).
If key is disabled or other users do not have access, data will not be shown.
Additional Manual Locations