Skip to content

Files

Latest commit

changeworldchangeworld
Fix typo
Feb 17, 2022
adec811 · Feb 17, 2022

History

History
65 lines (48 loc) · 3.51 KB

encrypt-credentials-self-hosted-integration-runtime.md

File metadata and controls

65 lines (48 loc) · 3.51 KB
title description author ms.service ms.subservice ms.topic ms.date ms.author ms.custom
Encrypt credentials in Azure Data Factory
Learn how to encrypt and store credentials for your on-premises data stores on a machine with self-hosted integration runtime.
lrtoyou1223
data-factory
integration-runtime
conceptual
01/27/2022
lle
devx-track-azurepowershell

Encrypt credentials for on-premises data stores in Azure Data Factory

[!INCLUDEappliesto-adf-xxx-md]

You can encrypt and store credentials for any of your on-premises data stores (linked services with sensitive information) on a machine with self-hosted integration runtime.

[!INCLUDE updated-for-az]

You pass a JSON definition file with credentials to the
New-AzDataFactoryV2LinkedServiceEncryptedCredential cmdlet to produce an output JSON definition file with the encrypted credentials. Then, use the updated JSON definition to create the linked services.

Create a linked service with encrypted credentials

This example shows how to create a linked service to an on-premise SQL Server data source with encrypted credentials.

Create initial linked service JSON file description

Create a JSON file named SqlServerLinkedService.json in any folder with the following content:

Replace <servername>, <databasename>, <username>, and <password> with values for your SQL Server before saving the file. And, replace <integration runtime name> with the name of your integration runtime.

{
    "properties": {
        "type": "SqlServer",
        "typeProperties": {
            "connectionString": "Server=<servername>;Database=<databasename>;User ID=<username>;Password=<password>;Timeout=60"
        },
        "connectVia": {
            "type": "integrationRuntimeReference",
            "referenceName": "<integration runtime name>"
        },
        "name": "SqlServerLinkedService"
    }
}

Encrypt credentials

To encrypt the sensitive data from the JSON payload on an on-premises self-hosted integration runtime, run New-AzDataFactoryV2LinkedServiceEncryptedCredential, and pass on the JSON payload. This cmdlet ensures the credentials are encrypted using DPAPI and stored on the self-hosted integration runtime node locally. It can be run from any machine provided the Remote access option is enabled on the targeted self-hosted integration runtime, and PowerShell 7.0 or higher is used to execute it. The output payload containing the encrypted reference to the credential can be redirected to another JSON file (in this case 'encryptedLinkedService.json').

New-AzDataFactoryV2LinkedServiceEncryptedCredential -DataFactoryName $dataFactoryName -ResourceGroupName $ResourceGroupName -Name "SqlServerLinkedService" -DefinitionFile ".\SQLServerLinkedService.json" > encryptedSQLServerLinkedService.json

Use the JSON with encrypted credentials

Now, use the output JSON file from the previous command containing the encrypted credential to set up the SqlServerLinkedService.

Set-AzDataFactoryV2LinkedService -DataFactoryName $dataFactoryName -ResourceGroupName $ResourceGroupName -Name "EncryptedSqlServerLinkedService" -DefinitionFile ".\encryptedSqlServerLinkedService.json"

Next steps

For information about security considerations for data movement, see Data movement security considerations.