Share via


Encrypt credentials and secrets

Important

This content is being retired and may not be updated in the future. The support for Machine Learning Server will end on July 1, 2022. For more information, see What's happening to Machine Learning Server?

Applies to: Machine Learning Server, Microsoft R Server

For security purposes, we strongly recommend that you encrypt strings in the appsettings.json configuration file. For example, you should encrypt any remote database connection strings and/or LDAP/LDAP-S passwords rather than store strings in plain text.

The encryption function available in the administration utility relies on the RSA algorithm for encryption.

To encrypt credentials or secrets:

  1. On the web node, install a credential encryption certificate with a private key into the default certificate store on the local machine. That location is in the Windows certificate store or in the Linux-based PFX file.

    The length of the encryption key depends on the certificate, however, we recommend a length of at least 1048 bits.

    Ensure that your certificate is secured properly. On Windows, for example, you can use Bitlocker to encrypt the disk.

  2. Open the administration tool to encrypt the secret:

    • For Machine Learning Server 9.3 and later, use admin extension of the Azure Command Line Interface (Azure CLI) to encrypt your credentials.

      You do not need an Azure subscription to use this CLI. It is installed as part of Machine Learning Server and runs locally.

      1. On the machine hosting the node, launch a command-line window or terminal with administrator (Windows) or root/sudo (Linux) privileges.

      2. Run the command to encrypt:

        Note

        For Machine Learning Server 9.4, use "az mlserver admin" instead of "az ml admin"

        # With elevated privileges, run the following commands.
        # Get help on the commands
        az ml admin credentials --help
        
        # Display list of certificates installed on this machine
        az ml admin credentials list
        
        # For example:
        # [
        #   "A. DC=Windows Azure CRP Certificate Generator (private key)"
        # ]
        
        
        # Encrypt a secret
        az ml admin credentials set --cert-store-name <CERT_STORE_NAME> --cert-store-location <CERT_STORE_LOCATION> --cert-subject_name <CERT_SUBJECT_NAME> --secret <secret>
        
        CLI options Description
        list Returns the list of certificates found on the machine.
        set Returns an encrypted string when you specify a certificate and a secret to be encrypted.
        --cert-store-name The certificate store name. In Windows, it is usually one of "My", "Root", "TrustedPeople" etc.
        --cert-store-location The certificate store location. In Windows, it is either "CurrentUser" or "LocalMachine".
        --cert-subject_name The subject name of certificate. You could check it from "az ml admin credentials list". In the above example, the subject name is "DC=Windows Azure CRP Certificate Generator". For multiple entries on the subject name, escape the subject name as follows: az ml admin credentials --cert-subject_name "\"CN=myhost.mydomain.local, O=myCompany, L=Local, C=MyCountry\""
        --secret Enter information you want to encrypt.

        The CLI returns an encrypted string.

    • For versions 9.0 - 9.2: Launch the administration utility with administrator privileges (Windows) or root/sudo privileges (Linux).

      1. From the main menu, choose the option Encrypt Credentials.

      2. Specify where is the encryption certificate installed:

        • Local machine (Computer account)
        • Current user (My user account)
      3. Specify which encryption certificate to use.

      4. Enter information you want to encrypt. The tool returns an encrypted string.

  3. Open the configuration file, <web-node-install-path>/appsettings.json.

  4. In that file, update the appropriate section for a remote database connection or the authentication password strings.

Note

You can bypass script interface using the argument '-encryptsecret encryptSecret encryptSecretCertificateStoreName encryptSecretCertificateStoreLocation encryptSecretCertificateSubjectName'. See the table at the end of this topic, here.