Customer-managed keys in Adobe Experience Platform
Data stored on Adobe Experience Platform is encrypted at rest using system-level keys. If you are using an application built on top of Platform, you can opt to use your own encryption keys instead, giving you greater control over your data security.
This document provides a high level overview of the process for enabling the customer-managed keys (CMK) feature in Platform, and the prerequisite information required to complete these steps.
Prerequisites
To view and visit the Encryption section in Adobe Experience Platform, you must have created a role and assigned the Manage Customer Managed Key permission to that role. Any user that has the Manage Customer Managed Key permission can enable CMK for their organization.
For more information on assigning roles and permissions in Experience Platform, refer to the configure permissions documentation.
In order to enable CMK, your Azure Key Vault must be configured with the following settings:
Please read the linked documentation to better understand the process.
Process summary process-summary
CMK is included in the Healthcare Shield and the Privacy and Security Shield offerings from Adobe. After your organization purchases a license for one of these offerings, you can begin a one-time process for setting up the feature.
The process is as follows:
- Configure an Azure Key Vault based on your organization’s policies, then generate an encryption key that will ultimately be shared with Adobe.
- Set up the CMK app with your Azure tenant through either API calls or the UI.
- Send your encryption key ID to Adobe and start the enablement process for the feature either in the UI or with an API call.
- Check the status of the configuration to verify whether CMK has been enabled either in the UI or with an API call.
Once the setup process is complete, all data onboarded into Platform across all sandboxes will be encrypted using your Azure key setup. To use CMK, you will leverage Microsoft Azure functionality that may be part of their public preview program.
Revoke access revoke-access
If you want to revoke Platform access to your data, you can remove the user role associated with the application from the key vault within Azure.
After removing key access or disabling/deleting the key from your Azure key vault, it may take anywhere from a few minutes, to 24 hours for this configuration to propagate to primary data stores. Platform workflows also include cached and transient data stores required for performance and core application functionality. The propagation of CMK revocation through such cached and transient stores may take up to seven days as determined by their data processing workflows. For example, this means that the Profile dashboard would retain and display data from its cache data store and take seven days to expire the data held in cache data stores as part of the refresh cycle. The same time delay applies for data to become available again when re-enabling access to the application.
Next steps
To begin the process, start by configuring an Azure Key Vault and generate an encryption key to share with Adobe.