DocumentationExperience PlatformExperience Platform overview

Customer-managed keys in Adobe Experience Platform

Last update: Wed Nov 01 2023 00:00:00 GMT+0000 (Coordinated Universal Time)

CREATED FOR:

  • Developer
  • User
  • Admin
  • Leader

Data stored on Adobe Experience Platform is encrypted at rest using system-level keys. If you are using an application built on top of Platform, you can opt to use your own encryption keys instead, giving you greater control over your data security.

NOTE
Data in Adobe Experience Platform data lake and Profile Store are encrypted using CMK. These are regarded as your primary data stores.

This document provides a high level overview of the process for enabling the customer-managed keys (CMK) feature in Platform, and the prerequisite information required to complete these steps.

NOTE
For Customer Journey Analytics customers, please follow the instructions in the Customer Journey Analytics documentation.

Prerequisites

To view and visit the Encryption section in Adobe Experience Platform, you must have created a role and assigned the Manage Customer Managed Key permission to that role. Any user that has the Manage Customer Managed Key permission can enable CMK for their organization.

For more information on assigning roles and permissions in Experience Platform, refer to the configure permissions documentation.

In order to enable CMK, your Azure Key Vault must be configured with the following settings:

Please read the linked documentation to better understand the process.

Process summary process-summary

CMK is included in the Healthcare Shield and the Privacy and Security Shield offerings from Adobe. After your organization purchases a license for one of these offerings, you can begin a one-time process for setting up the feature.

WARNING
After setting up CMK, you cannot revert to system-managed keys. You are responsible for securely managing your keys and providing access to your Key Vault, Key, and CMK app within Azure to prevent losing access to your data.

The process is as follows:

  1. Configure an Azure Key Vault based on your organization’s policies, then generate an encryption key that will ultimately be shared with Adobe.
  2. Set up the CMK app with your Azure tenant through either API calls or the UI.
  3. Send your encryption key ID to Adobe and start the enablement process for the feature either in the UI or with an API call.
  4. Check the status of the configuration to verify whether CMK has been enabled either in the UI or with an API call.

Once the setup process is complete, all data onboarded into Platform across all sandboxes will be encrypted using your Azure key setup. To use CMK, you will leverage Microsoft Azure functionality that may be part of their public preview program.

Revoke access revoke-access

If you want to revoke Platform access to your data, you can remove the user role associated with the application from the key vault within Azure.

WARNING
Disabling the key vault, Key, or CMK app can result in a breaking change. Once the key vault, Key, or CMK app is disabled and data is no longer accessible in Platform, any downstream operations related to that data will no longer be possible. Ensure that you understand the downstream impacts of revoking Platform access to your key before you make any changes to your configuration.

After removing key access or disabling/deleting the key from your Azure key vault, it may take anywhere from a few minutes, to 24 hours for this configuration to propagate to primary data stores. Platform workflows also include cached and transient data stores required for performance and core application functionality. The propagation of CMK revocation through such cached and transient stores may take up to seven days as determined by their data processing workflows. For example, this means that the Profile dashboard would retain and display data from its cache data store and take seven days to expire the data held in cache data stores as part of the refresh cycle. The same time delay applies for data to become available again when re-enabling access to the application.

NOTE
There are two use-case-specific exceptions to the seven day dataset expiration on non-primary (cached/transient) data. See their respective documentation for more information on these features.

Next steps

To begin the process, start by configuring an Azure Key Vault and generate an encryption key to share with Adobe.

recommendation-more-help
5741548a-2e07-44b3-9157-9c181502d0c5