Guidance on securing your store and rotating encryption keys: CVE-2024-34102

When the encryption key is updated per the guidance here, a new key is generated and added to a list of keys. That updated key becomes the primary key used for reading and writing sensitive data. If the application tries to read previously encrypted data, it knows which key was used to encrypt it and uses that key instead for decryption. If a sensitive value is edited (such as changing a payment gateway credential), the value is saved using the newest encryption key. The newest encryption key is also used to create authentication tokens, which are used to perform automations on behalf of a system-privileged user.

Encryption is a general-purpose tool which is why the encryption key system is designed to balance flexibility, resiliency, security, and performance. Among other things, it allows keys to be updated without necessarily re-encrypting previously encrypted data.

Although your data is secured against future similar attacks by applying the latest security patch and key rotation, Adobe is also working on a re-encryption method to provide additional defense-in-depth measures, which we aim to make available in the next few months.