This document covers the process for enabling the customer-managed keys (CMK) feature in Platform using the UI. For instructions on how to complete this process using the API, refer to the API CMK setup document.
To view and visit the Encryption section in Adobe Experience Platform, you must have created a role and assigned the Manage Customer Managed Key permission to that role. Any user that has the Manage Customer Managed Key permission can enable CMK for their organization.
For more information on assigning roles and permissions in Experience Platform, refer to the configure permissions documentation.
To enable CMK, your Azure Key Vault must be configured with the following settings:
After you have your key vault configured, the next step is to register the CMK application that will link to your Azure tenant.
To view the Encryption configurations dashboard, select Encryption under the Administration heading of the left navigation sidebar.
Select Configure to open the Customer Managed Keys configuration view. This workspace contains all the necessary values to complete the steps described below and perform the integration with your Azure Key vault.
To start the registration process, copy the application authentication URL for your organization from the Customer Managed Keys configuration view and paste it into your Azure environment Key Vault Crypto Service Encryption User. Details on how to assign a role are provided in the next section.
Select the copy icon () by the Application authentication url.
Copy and paste the Application authentication url into a browser to open an authentication dialog. Select Accept to add the CMK app service principal to your Azure tenant. Confirming the authentication redirects you to the Experience Cloud landing page.
If you have multiple Microsoft Azure subscriptions, then you could potentially connect your Platform instance to the wrong key vault. In this situation, you must swap the
common section of the application authentication URL name for the CMK directory ID.
Copy the CMK directory ID from the Portal settings, Directories, and Subscriptions page of the Microsoft Azure application
Next, paste it into your browser address bar.
After completing the authentication process, navigate back to your Azure Key Vault and select Access control in the left navigation. From here, select Add followed by Add role assignment.
The next screen prompts you to choose a role for this assignment. Select Key Vault Crypto Service Encryption User before selecting Next to continue.
On the next screen, choose Select members to open a dialog in the right rail. Use the search bar to locate the service principal for the CMK application and select it from the list. When finished, select Save.
If you cannot find your application in the list, then your service principal has not been accepted into your tenant. To ensure that you have correct privileges, work with your Azure administrator or representative.
You can verify the application by comparing the Application ID provided on the Customer Managed Keys configuration view with the Application ID provided on the Microsoft Azure application overview.
All the details necessary to verify Azure tools are included in the Platform UI. This level of granularity is provided as many users wish to uze other Azure tools to enhance their ability to monitor and log these applications access to their key vault. Understanding these identifiers is critical for that purpose and to help Adobe services to access the key.
After installing the CMK app on Azure, you can send your encryption key identifier to Adobe. Select Keys in the left navigation, followed by the name of the key you want to send.
Select the latest version of the key and its details page appears. From here, you can optionally configure the permitted operations for the key.
The minimum required operations to be permitted for the key are the Wrap Key and Unwrap Key permissions. You can include Encrypt, Decrypt, Sign, and Verify should you want.
The Key Identifier field displays the URI identifier for the key. Copy this URI value for use in the next step.
Once you have obtained the Key vault URI, return to the Customer Managed Keys configuration view and enter a descriptive Configuration name. Next, add the Key Identifier taken from the Azure Key details page into the Key vault key identifier and select ** Save**.
You are returned to the Encryption configurations dashboard. The status of the Customer Managed Keys configuration displays as Processing.
Allow a significant amount of time for processing. To check the status of the configuration, return to the Customer Managed Keys configuration view and scroll down to the Configuration status. The progress bar has advanced to step one of three and explains that the system is validating that Platform has access to the key and key vault.
There are four potential statuses of the CMK configuration. They are as follows:
FAILED: A problem occurred, primarily related to the key, key vault, or multi-tenant app setup.
By completing the above steps, you have successfully enabled CMK for your organization. Data that is ingested into primary data stores will now be encrypted and decrypted using the key(s) in your Azure Key Vault.