Encryption service

Devolutions Hub's encryption service streamlines access to your Hub by eliminating the requirement to individually invite each user from your SSO provider. This feature can be enabled in your Hub under Administration – Authentication – Encryption service.

Requirements

To enable and configure your encryption service, the following prerequisites are necessary:

• A configured and active Single Sign-On (SSO) setup.
• An application identity in your Hub.
• A trusted SSL certificate.
• A reachable network port within the local network and, if applicable, from the internet.
• An active Azure services subscription (if you set up your encryption service using the recommended Azure template method).
• A self-hosted server to install the Devolutions Hub Services (if you set up your encryption service using the Devolutions Hub Services method).

Application identity permissions

Create an application identity and assign it the following system permissions:

• Manage users and user groups
• Manage system configuration (includes system permissions, system settings, and IP allowlists)

Azure services subscription

If you are setting up your encryption service using an Azure template, which is the recommended method (see the instructions below), you need to have a subscription to Azure services. If you do not have one, first follow these instructions:

1. Log in to your Microsoft Azure Portal account.
2. Select Subscriptions in the Azure services. If you do not see it, search for it in the search bar at the top of the page or click on More services to show other services. This service can be found under the Management and governance services category.

   

3. Click Add then select the Pay-As-You-Go subscription offer.

   

4. Enter the required information and sign up to the service.

Encryption service setup

Encryption service setup using an Azure template (recommended)

Using an Azure template to configure the encryption service is the recommended method as it is the simpler and more straightforward approach and helps prevent unnecessary complications. Verify that all requirements are fulfilled before moving forward.

1. In Devolutions Hub Business, go to Administration – Authentication – Encryption service and click on Generate Azure template.

   

2. Copy the generated template.

   

3. On the Microsoft Azure Portal home page, select Deploy a custom template in the Azure services. If you do not see it, search for it in the search bar at the top of the page or click on More services to show other services. This service can be found under the General services category.

   

4. Click on Build your own template in the editor.

   

5. Paste the generated Azure template you obtained from Devolutions Hub into the Azure template editor, replacing any pre-existing content within the editor.

   

6. Click Save.
7. On the Custom deployment page, configure your information as outlined below:
   • Subscription: Select a subscription if none is selected.
   • Resource group: Select or create a resource group if none is selected.
   • App Name and App Service Plan Name: Leave the default names or change them according to your preferences.
   • Hub URL: Ensure that it is set to the URL of your Devolutions Hub Business.
   • Application Identity Key and Application Identity Secret: Enter your application identity key and secret in the corresponding fields. Your application identity should have the Manage system configuration and Manage users and user groups permissions, as stated in Application identity permission.

     

8. Click on Review + create.
9. Click on Create.

   

10. Upon completion of the deployment, which may take a few seconds, click on Go to resource group.

    

11. Select your new App Service in the list.

    

12. Copy the given Default domain (https://your-app-name.azurewebsites.net) or the Custom domain (https://yourdomain.com) if you decided to create one.

    

13. Add this domain to the list of redirect URIs in your enterprise application. Follow the instructions below to guide you through this process:
    1. Go back to the Microsoft Azure Portal home page and select Enterprise applications in the Azure services. If you do not see it, click on More services to show other services.

       

    2. Select your application from the list.
    3. In the left menu, click on Properties.

       

    4. In the text at the top of the page, click on application registration.

       

    5. In the left menu, click on Authentication.
    6. Click on Add URI and paste the domain in the redirect URI field. Add /auth/callback at the end of the URL and ensure it starts with https://. The end result should look like this: https://your-app-name.azurewebsites.net/auth/callback.

       

    7. Click Save.
14. In Devolutions Hub, go back to Administration – Authentication – Encryption service and enable the encryption service if not already done.
15. Paste your default or custom domain in the Encryption Service URL field, ensure that it starts with https://. The end result should look like this: https://your-app-name.azurewebsites.net. This is where the encryption service will listen for incoming requests. This URL or IP address only needs to be reachable by clients logging in using the encryption service.

    

16. Test the connection. If the connection fails, check the validity of the information you have entered and try again. If you are still experiencing connection problems, please contact our help desk technicians at service@devolutions.net.

All users from your SSO provider can now log in and gain access to your Devolutions Hub automatically, bypassing the need for invitations. It is also not necessary for users to have a private key set up to use the Hub. The server operates on a self-hosted basis; it therefore plays a vital role in the infrastructure. Should the server experience downtime or fail to run, users lacking private keys will encounter issues connecting to the Hub.

Encryption service setup with the Devolutions Hub Services

Using an Azure template to configure the encryption service is the recommended method as it is the simpler and more straightforward approach and helps prevent unnecessary complications. Nonetheless, if you wish to use the following Devolutions Hub Services method, verify that all requirements are fulfilled before moving forward.

1. Download the Devolutions Hub Services and launch the installer.
2. Click Next to continue past the welcome page.

   

3. Read and accept the terms in the License Agreement, then click Next.

   

4. Under Custom Setup, select Encryption, then click Next.

   

5. Enter the following information in the corresponding fields:
   • the Host, which is the URL of your Devolutions Hub.
   • the Application secret and Application key, which were provided to you when the application identity was initially created.
6. Click on Test Connection. You should receive a message indicating that the connection was successful. If this is not the case, check the validity of the information you have entered and try again. If you are still experiencing connection problems, please contact our help desk technicians at service@devolutions.net.

   

7. Click Next.
8. Enter the URL (HTTPS is mandatory) and Port number where the encryption service will listen for incoming requests. Ensure the port is configured to be reachable.
9. Search for your Certificate and select it. If your certificate is protected with a password, enter it in Certificate Password.

   

10. Click Next.

The installation process should now begin.

Troubleshooting

• If users experience issues connecting while the encryption service is activated, it is possible to restart the App from the App Service page to attempt to resolve the problem. If the issue persists, try stopping the App Service. However, be aware that users without a password will need to create one and will require an invitation to access the Hub.
• To access the logs, go to the Deployment Center from the App Service page by selecting it from the left-hand menu, then navigate to the Logs tab. It is recommended to send these logs when opening a support ticket for assistance.

Frequently asked questions

Q: What is being saved or stored by the self-hosted Encryption Service?

A: The private and public key pair is generated in the browser and never saved nor stored anywhere. The Encryption Service only receives the public key to allow the authentication flow to continue.

Q: What would happen to existing encryption keys should the self-hosted Encryption Service be updated via Azure AD?

A: Redeploying fetches the latest container version; encryption keys are not saved anywhere and are therefore unaffected.

Q: Can the Encryption Service be secured further?

A: Adding more layers of security is perfectly feasible here. Make sure that the service is able to reach –and be reached by–, Devolutions Hub and Devolutions Portal. The Encryption Service operates as a redirection in Devolutions Hub' authentication flow, allowing for automatic SSO provisioning, decrypting your Devolutions Hub key at each login, and eliminating the need for invitations.

Q: Can I create fallback encryption services?

A: Additional encryption services can be created, but a user must be able to connect and switch the URL in the Encryption Service settings. Otherwise, it defaults to the normal key decryption method. Logging out might be required here.