Encrytion and Decrytion in APIM for the subscriptions keys

Taskal Samal 11 Reputation points
2021-11-23T00:50:07.787+00:00

Hi,

We are using APIM as proxy in between frontend apps and backend. Now, whenever frontend apps are accessing backend apis via APIM it pass apim subscription keys in parameters as plain text. Is there any way that if we encrypt subscription keys from the frontend it can be decrypt at Azure APIM policy?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,661 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. MayankBargali-MSFT 67,001 Reputation points
    2021-11-23T04:24:51.877+00:00

    @Taskal Samal You cannot encrypt/decrypt the subscription keys as to authenticate the APIM API's it needs the subscription key without encryption as it is the first step to authenticate the request.
    Alternatively, you can have a middle services/proxy that make the front end call and a middle service/proxy that make the call to the APIM using the plain text subscription key. There is already another discussion on the same in this thread.

    You can also refer to Azure security baseline for API Management document for more details on how you can secure your cloud solutions on Azure and security controls defined by the Azure Security Benchmark and the related guidance applicable to API Management.

    0 comments No comments