1. Home
  2. Technical Documentation
  3. Security – Encryption

Security – Encryption

Core Encryption Mechanism

The Warewolf lightweight execution engine uses AES-256-GCM encryption with keys stored in Azure Key Vault to safeguard sensitive data. On full (on-premises) Warewolf servers, Windows DPAPI protects values; Azure deployments cannot use DPAPI (it is machine-bound), so they use the Key Vault–backed AES approach instead.

Protected Assets

Encryption covers any configuration that stores secrets in a ConnectionString attribute, plus the secure server configuration and the license file:

  • Source .bite files (database, web, SharePoint credentials) — <Source ConnectionString="…">
  • Elasticsearch logging source credentials (ElasticsearchLoggingSource.bite)
  • Other .bite config sources with a <Source> element and a ConnectionString attribute
  • secure.config — the server security configuration (encrypted with AES before staging; see License File Encryption for the mechanism)
  • Warewolf License.secureconfig — the license file (separate AES-256-CBC mechanism; see License File Encryption below)

Encryption Format (.bite ConnectionStrings)

Encrypted ConnectionString values use this structure:

WFAES::{Base64( [12-byte nonce][ciphertext][16-byte GCM tag] )}

Key characteristics:

  • The WFAES:: prefix makes the value invalid base64 on its own, so it is never misinterpreted as a DPAPI value on a machine without the AES hook.
  • AES-256-GCM is authenticated encryption — any tampering is detected at decrypt time.
  • At runtime the engine fetches the key from Key Vault once per cold start and decrypts in memory; decrypted secrets are never written to disk by the engine.

Deployment Paths

There are two ways to provision Key Vault and encrypt sources. The orchestrated path is recommended.

Deploy-WwExecutionEngine.ps1 provisions all infrastructure and, when -EncryptResources is supplied, creates the Key Vault inline (no separate setup script), generates/stores the AES key, encrypts every deployable source, optionally verifies decryption in memory, and wires the runtime app settings.

# First deploy — provision the vault + key and encrypt all sources, verifying in memory
.\Deploy-WwExecutionEngine.ps1 `
-ResourceGroup DEV2 -Location southafricanorth `
-StorageAccount stwwenginetestv1 -AppName wwenginetestv1 `
-PublishPath 'D:\ExecutionEngine\AzureFunctionsPackage' `
-EncryptResources:$true -VerifyDecryption -GenerateNewKey `
-KeyVaultName WWExecutionEngine -KeyVaultSecretName WWExecutionEngineTestSecret

-EncryptResources is optional and defaults to OFF. The intended workflow is encrypt once, then deploy as-is: on later deploys leave -EncryptResources off — the sources are already encrypted and are staged unchanged — but still pass -KeyVaultName/-KeyVaultSecretName so the engine’s app settings and managed-identity role are wired for runtime decryption.

Manual — step by step

Step 1 — Infrastructure setup. Create the Key Vault and key using KeyVaultSetup.ps1 or KeyVaultSetup.azcli (use this only if you are not provisioning through Deploy-WwExecutionEngine.ps1, which does it inline).

Step 2 — Encrypt .bite files using Encrypt-Config.ps1:

  • The first run with -GenerateKes a new 256-bit key in Key Vault.
  • Subsequent runs (without -GenerateKeys) encrypt only newly added plaintext or DPAPI values; values that are already WFAES::d. To re-encrypt or rotate existingvalues, use -GenerateKeys (see Key Rotation).

# First-time setup: generate the key and encrypt all .bite files .\Encrypt-Config.ps1 -FilePath "C:\Warewolf\ewolf-prod" -SecretName "dp-keyring-v1"-GenerateKeys
# Later: encrypt newly added plaintext/DPAPI files using the existing key .\Encrypt-Config.ps1 -FilePath "C:\Warewolf\ewolf-prod" -SecretName "dp-keyring-v1"

Encrypt-Config.ps1 Parameters

Parameter Required Purpose
-FilePath Yes A single .bite file, or a folder searched recursively for .bite files. Files without a <Source ConnectionString="…"></c
-VaultName Yes Azure Key Vault name (e.g. kv-warewolf-prod).
-SecretName Yes Key Vault secret holding the AES key mate script has no default (the engineenv-var default is dp-keyring-v1; see Configuration Variables).
-GenerateKeys No Generate a NEW AES-256 key, store it as -)encrypt all files. ExistingWFAES:: values are decrypted with the current key, then re-encrypted with the new one. Cannot be combined with -Decrypt or -VerifyO
-Decrypt No Decrypt WFAES::/DPAPI ConnectionStrings back to plain text into an output directory
(originals untouched). This writes p recovery/inspection — delete the outputdirectory after use.
-VerifyOnly No Decrypt every WFAES::/DPAPIong> to prove the Key Vault key works. Nofile (and no plaintext) is written. Read-only.
-NonInteractive No Never prompt; implies -NoBackup</cctory is supplied. Used byDeploy-WwExecutionEngine.ps1.
-NoBackup No Skip the pre-encryption backup prompt/st
-OutputDirectory No Explicit target for the backup (encrypt mode) or the decrypted files (decrypt mode); suppresses the prompt.

Configuration Variables (runtime engine app settings)

Variable Required Default Purpose
AZURE_KEYVAULT_NAME Yes Enables encryption (omit to disable).</t
KEYVAULT_SECRET_NAME No dp-keyring-v1 Secret name holding the AES key ring.</t
WorkflowsDirectory No {BaseDir}/Resources Path to .bite files.

License File Encryption

License files use an AES-256-CBC scheme — the same algorithm Warewolf Studio uses (mirrors
Dev2.Infrastructure Securs is a separate mechanism that doesnot use Key Vault and is handled by Protect-LicenseConfig.ps1 (shipped in the engine
application/publish directory, not the <code

Deploy-WwExecutionEngine.ps1 cose.secureconfig you supply into thepackage as-is — it does not run Protect-LicenseConfig.ps1. Encrypt the license file with
Protect-LicenseConfig.ps1 -Encrypt</colready protected.

Backup Behaviour

Before encrypting in place, Encrypt-Cock up the .bite files(interactive runs only). If confirmed, files are copied to a timestamped directory (default: the
source path with a date-time stamp appended,-15-14-30-45-12
), preservingsubdirectory structure; files keep their .bite extension. A custom path may be entered at the prompt.
Unattended runs (-NonInteractive</codekip the backup — operate on a copy.

Key Rotation

Rotate every 90 days (or immediately after arunning Encrypt-Config.ps1 with-GenerateKeys against the .bite files. The script decrypts existing WFAES::
values with the current key and re-encrypts pass.

.\Encrypt-Config.ps1 -FilePath "C:\Warkv-warewolf-prod" -SecretName "dp-keyring-v1" -GenerateKeys

Verifying a Deployment

Confirm the deployed key can decrypt every vplaintext using-VerifyOnly (or Deploy-WwExecutionEngine.ps1 -VerifyDecryption, which calls it):

.\Encrypt-Config.ps1 -FilePath "C:\Warewolf\Resources" -VaultName "kv-warewolf-prod" -SecretName "dp-keyring-v1"
-VerifyOnly

Important Notes

  • After verifying an encrypted deployped backup directory (e.g.Resources_<timestamp>) created by the backup prompt. (The script does not create
    .bite.bak files.)
  • If you used -Decrypt, delete the decrypted output directory — it contains plain-text
    credentials.
  • DPAPI-encrypted values must be re-encrypted to WFAES:: before deploying to
    Azure/Linux. DPAPI is machine-bound, so a DPed on the Windows machine that createdit.
  • Maintain an offline backup of the Kmaterial). Losing it makes everyWFAES:: value unrecoverable.
  • Prerequisites: Pow CLI (az login), andWindows (DPAPI detection/decryption during encryption is Windows-only).
  • This article is for version 1.0 of the scripts, as of 2026-06-22. See https://warewolf.io/release-notes.php
FacebookTwitterLinkedInGoogle+Email
Updated on June 25, 2026

Was this article helpful?

Related Articles

Enjoying Warewolf?

Write a review on G2 Crowd
Stars