automation-suite
2022.10
false
UiPath logo, featuring letters U and I in white

Automation Suite admin guide

Last updated Aug 22, 2025

Setting up encryption key per tenant

It is possible to use Microsoft Azure Key Vault to encrypt each tenant in your Orchestrator instance with its own unique key. Orchestrator uses the Key Vault to store and manage the keys in a safe manner, ensuring better segregation of your data between tenants.

Orchestrator installed in Automation Suite can take advantage of this feature, but you must connect the Orchestrator app to the internet and Azure Key Vault.

Overview

Orchestrator authentication is needed to use Azure Key Vault via App Registrations. App Registrations can grant a series of privileges to applications. In our case, Orchestrator is the application, and Azure Key Vault is the targeted privilege.

You first need to configure App Registrations access to Azure Key Vault. Orchestrator authentication with App Registrations is possible using the SSL private key of a certificate with the SSL public key uploaded to App Registrations. After configuring the App Registrations and Key Vault, you need to make some changes to orchestrator-customconfig configmap used in the Automation Suite cluster, and modify the relevant ArgoCD parameters for the Orchestrator app form the ArgoCD UI. Once these criteria are met, Orchestrator can use Azure Key Vault to encrypt each tenant.

Prerequisites

  • Your own Microsoft Azure Key Vault
  • A clean Orchestrator installation in Automation Suite

  • A valid SSL certificate:

    • Private Key Certificate — It needs to be uploaded in App Services > SSL Settings > Private Key Certificates
    • Public Key Certificate — It needs to be uploaded in App registrations > Settings > Keys > Public Keys
  • (Optional) A self-signed certificate

To convert the .pfx certificate file to base64, run the following command:

  • PowerShell: [convert]::ToBase64String((Get-Content -path "path_to_certificate" -Encoding byte))
  • Shell: base64 [_path_to_certificate_]
Note: Encryption keys must not be edited on the Azure Key Vault side by users, such as enabling/disabling secrets or editing the activation date and expiration date. If a secret is disabled, data stored by Orchestrator for that tenant is no longer decrypted.

App registrations steps

In Azure Portal's App Registrations pane, follow these steps:

  1. Create a new app registration.
  2. Copy the Application (Client) ID for later use.
  3. Go to Manage > Certificates & Secrets and upload the public SSL certificate key mentioned in the prerequisite.

Azure Key Vault steps

In the Azure Key Vault, do the following:

  1. Access the Key Vaults Overview page and copy the DNS name for later use.
  2. Go to the Key Vaults page and select Settings > Access policies.
  3. Select Add access policy.
  4. From the Configure from template (optional) drop-down menu, select Key, Secret, & Certificate Management.
  5. Select None selected in the Authorized application section to enable the Select principal field.
  6. Enter the app registration name, confirm that the Application ID is correct, and select this principal.
  7. Select Add.


Orchestrator custom configuration steps

Make the following configuration changes to Orchestrator:

  1. Configure Azure Key Vault for Orchestrator Instance from ArgoCD UI Parameters:
    1. Copy the base64 form of the certificate and provide it as a value for the encryptionKeyPerTenant.certificateBase64 parameter.
    2. Copy the certificate password, if any, and provide it as a value for the encryptionKeyPerTenant.certificatePassword parameter.
    3. Copy the Input Application (Client) ID from the App Registrations page and provide it as a value for the encryptionKeyPerTenant.clientId parameter.
    4. Copy the Directory (tenant) ID of your organization from the App Registrations page and provide it as a value for the encryptionKeyPerTenant.directoryId parameter.
    5. Copy the DNS Name from the Key Vaults Overview page and provide it as a value for the encryptionKeyPerTenant.vaultAddress parameter.


  2. Update the orchestrator-customconfig configmap's AppSettings section as follows to enable the encryption key per tenant feature:
    1. Set EncryptionKeyPerTenant.Enabled to true.
    2. Set EncryptionKeyPerTenant.KeyProvider to AzureKeyVault.
      This can be done via the orchestrator-configurator.sh or by updating the configmap using Lens.
  3. Restart the Orchestrator Automation Suite deployment from the cluster for the changes to take effect.
Note: If you are migrating from standalone Orchestrator to Automation Suite, SMTP settings in Identity Server are not encrypted with the per-tenant key. Once the migration is complete, make sure to re-enter the SMTP password in the Automation Suite portal.

Was this page helpful?

Support and Services
Get The Help You Need
UiPath Academy
Learning RPA - Automation Courses
UiPath Forum
UiPath Community Forum
Uipath Logo
Trust and Security
Terms of Use
Privacy Policy
Cookies Policy
© 2005-2025 UiPath. All rights reserved.