Isolated Storage is a useful feature to keep your secrets secure in Microsoft Dynamics 365 Business Central. In this article, you will learn what is it, how to use it and some additional points to consider.
- What Is Isolated Storage?
- How Can We Use It?
- Additional Key Points
- Move Old Secrets To Isolated Storage
What Is Isolated Storage?
Isolated storage is a system table that we can use to store confidential data. The data can´t be accessed outside the application. Meaning that other extensions won´t be able to access this information. We can store any type of secret we define, passwords, tokens, license data, etc.
We will only be able to use two fields of this table. The key and the value. The key is a text field and the value is stored as a Blob.
The ‘Isolated Storage’ table can only be used for OnPrem, but we can have a look and see what looks like.
The primary key is composed of ‘AppId’, ‘Scope’, ‘Company Name’, ‘User Id’, and ‘Key’. This way, you can have the same secret key for different apps, companies, users, etc.
How Can We Use It?
There is a dedicated type with the same name called ‘IsolatedStorage’. We won´t be using the table directly.
It contains the following methods:
We will create a small example. This is just a simple way to use the methods. There are additional considerations when using isolated storage that we will have a look at in the next section.
For passwords, you´ll want users to enter the information in the UI, so you will need to create a page for that.
To set a password, it´s as simple as the following image. ‘BCPassword’ is the key and ‘MyP@ssW0rd’ is the value:
We have the possibility to define a scope in which the password can be retrieved. It can be Company, CompanyAndUser, Module, or User.
For example, if we define it as a company scope, the password can be read by users only within the same company. In other words, the scope determines who can retrieve the data from the Isolated Storage.
An additional layer of security can be applied by setting an encrypted password like the following screenshot. It´s recommended to do it:
To get the information about the password we use the method ‘Get’. Even if it´s encrypted, the method will decrypt it. As you can see, we just need to tell which key we want to retrieve, then the value will be assigned to the second parameter:
If we try to get the password from another extension, an error will show that the ‘BCPassword’ does not exist. We knew from above that each app or module has its own isolated storage. This way, we make sure that other extensions can´t access sensitive information:
What if we create a dependency on that app?
The same result. We can´t access it either as App Ids are different.
Isolated Storage Management
For Business Central on-premise, we can also use the ‘Isolated Storage Management’ codeunit. As you can see, the ‘Set’ method checks if the encryption is enabled. OnPrem doesn´t have encryption enabled by default so you want to make sure to check it first.
For the cloud, encryption is always enabled, so we don´t need to verify it first.
Get more information about Isolated Storage and its methods in the Microsoft documentation below:
Additional Key Points
1) We have mentioned that a dependent app can´t get the password. But this isn´t entirely true. It can´t if you try to retrieve the same key from Isolated Storage.
But a dependent app can get the password by calling a public function. If the function returns a secret then anyone could subscribe to it and retrieve the secret.
We have to make sure that these methods are only internal or local and can´t be accessed from outside. You want to isolate the isolated storage management.
2) Don´t return sensitive information by VAR. The same idea from above applies. The logic should be encapsulated.
For further detail on best practices in Isolated Storage, make sure to check the following link.
https://cloudblogs.microsoft.com/dynamics365/it/2019/08/14/changes-in-secret-management/
Move Old Secrets To Isolated Storage
We have available ‘Upg Secrets to Isol. Storage’ codeunit. It´s an upgrade codeunit to move different secrets to isolated storage. There are already obsoleted tables like ‘Service Password’ or ‘SMTP Mail Setup’ that have methods to move their secrets.
‘Service Password’ was used in the past to store passwords. However, if you are working on an upgrade from Nav to Business Central you might find some of these methods useful.
The codeunit contains the following methods:
Check the following article if you want to learn more about InStreams and OutStreams in Business Central:
That´s all. Hope you find it helpful.