QUESTIONWhere do Connection Manager credentials get stored for the Nintex for Office 365 product?
ANSWERFor all connections, they are stored in Nintex Azure Connection Manager. The connection types and what they store are below:
- Basic Auth, username and password
- API key, the key
- Oauth, everything that the IDP sent back, which includes the access_token, retry_token (if provided), etc...
The data for Connection Manager is multi tenanted and partitioned by tenant Id. Each connection is encrypted by a different encryption key on the client side, then stored encrypted at rest, but the data at rest is also encrypted by Azure TDE. Azure Key Vault has the key, used to decrypt each connection's own encryption key. The client library generates a random Initialization Vector (IV) of 16 bytes along with a random content encryption key (CEK) of 32 bytes for every entity, and performs envelope encryption on the individual properties to be encrypted by deriving a new IV per property. Azure Key Vault key is used to encrypt the IV and CEK for each entity and store them as additional properties.