The lightweight execution engine is designed to use AES-256-GCM encryption with keys stored in Azure Key Vault to protect sensitive data end-to-end. Here is a walkthrough for encrypting .bite files and setting up the Azure Key Vault to store the encryption keys inside:
Step 1 — One-time infrastructure setup
Create the Key Vault, enable Managed Identity on the Function App and assign the minimum RBAC roles. Edit the variables at the top of the script first, then run:
# PowerShell variant
.\Scripts\KeyVaultSetup.ps1
# Azure CLI variant
bash Scripts/KeyVaultSetup.azcli
Step 2 — Encrypt your source files
Run on the developer machine that holds the original (plain or DPAPI-encrypted) .bite files:
# First run — generates the key and encrypts
.\Scripts\Encrypt-Config.ps1 `
-FilePath "C:\Warewolf\Resources" `
-VaultName "kv-warewolf-prod" `
-FunctionApp "func-warewolf-prod" `
-ResourceGroup "rg-warewolf-prod" `
-UploadToAzure
# Subsequent runs — re-encrypt changed files with the same key
.\Scripts\Encrypt-Config.ps1 `
-FilePath "C:\Warewolf\Resources" `
-VaultName "kv-warewolf-prod"
These scripts are shipped inside the release zip.
