Encrypting Settings at Rest in Azure Service Fabric

By Ryan Kelly

Included with every Microsoft Azure Service Fabric Actor and Service is a nice little settings.xml file that you may have considered using to store configuration values for your actors and services. Unfortunately, the documentation on how this file can be used is a bit lacking, so after hitting my head against it for a couple days, I figured out how it can be used so you don’t have to!

Service_Fabric_Encryption_Blog_PostBasic Settings

If you are storing values that do not need to be encrypted, then life isn’t so hard. You can add a new section in the settings.xml file for yourself and add as many plaintext parameters as you like, as shown in the screenshot below.

Service_Fabric_Basic_Settings

Then in code you can access your settings through the service context object when you are providing your actor factory (for services, this is available in the StatelessServiceContext or StatefulServiceContext). In the screenshot below, I am passing the settings into Autofac to be used to resolve my connection to Azure Event Hub.

Service_Fabric_Basic_Example

A note here: To the best of my knowledge, the configuration package object is always named “Config” by default.

Encrypted Settings

Sometimes you’ll want your configuration values encrypted too, and that’s doable. You can access them the same way as shown above, but there is some work required to get them into an encrypted string and allow your Service Fabric Application to decrypt them on demand.

Setting Up Your Certificate

The first thing you’ll need is a certificate to encrypt and decrypt your setting. To learn how to do this I turned to the following helpful article by Chacko Daniel of Microsoft: https://azure.microsoft.com/en-us/documentation/articles/service-fabric-cluster-security/

After attempting many times to create my own certificate with various tools, I was finally able to get the process working when I used the steps in the article. Step one is to download the PowerShell helpers from Chacko Daniel’s git repo here and import the provided module: https://github.com/ChackDan/Service-Fabric/tree/master/Scripts/ServiceFabricRPHelpers

Next, you will need to either use the following script to create an Azure KeyVault or point the certificate to an existing KeyVault:

Invoke-AddCertToKeyVault -SubscriptionId <your subscription id> -ResourceGroupName <string> -Location <region> -VaultName <Name of the Vault> -CertificateName <Name of the Certificate> -Password <Certificate password> -CreateSelfSignedCertificate -DnsName <string- see note below.> -OutputPath <Full path to the .pfx file>

Now import your new self-signed certificate into your LocalMachine Certificate store for future use.

Setting Up Your Application

Now that you know the certificate thumbprint, you can add the secrets certificate to your ApplicationManifest.xml file in your Service Fabric Application like so:

Service_Fabric_Basic_Settings

Encrypting Your Setting

Finally, you can encrypt your sensitive text to put in your settings.xml file. Run the following PowerShell command:

Invoke-ServiceFabricEncryptText -Text "Test12345!" -CertStore -CertThumbprint "<Thumbprint goes here>" -StoreName "My" -StoreLocation LocalMachine

This will give you a crazy long encrypted string that you can put in your settings.xml file. All you have to do now is paste it in and add the attribute IsEncrypted=”true” to your parameter and you’re done!

Service_Fabric_IsEncrypted

Pro Tips

  • When using the Invoke-ServiceFabricEncryptText method, make sure you don’t get any spaces in your string.
  • For encrypted parameters, you will need to run DecryptValue() on the parameter instead of using the Value property. This will return a SecureString which you may need to convert to clear text like so:

Service_Fabric_DecryptValue