Documentation Experience Platform Experience Platform overview

Customer-managed keys in Adobe Experience Platform

Last update: Wed Nov 13 2024 00:00:00 GMT+0000 (Coordinated Universal Time)

Topics:
Privacy

CREATED FOR:

Developer

Data stored on Adobe Experience Platform is encrypted at rest using system-level keys. If you are using an application built on top of Platform, you can opt to use your own encryption keys instead, giving you greater control over your data security.

NOTE

Customer profile data stored in Platform’s Azure Data Lake and the Azure Cosmos DB Profile store are encrypted exclusively using CMK, once enabled. Key revocation in your primary data stores can take anywhere from a few minutes to 24 hours, and may take longer, up to 7 days for transient or secondary data stores. For additional details, refer to the implications of revoking key access section.

This document provides a high level overview of the process for enabling the customer-managed keys (CMK) feature in Platform, and the prerequisite information required to complete these steps.

NOTE

For Customer Journey Analytics customers, please follow the instructions in the Customer Journey Analytics documentation.

Prerequisites

To view and visit the Encryption section in Adobe Experience Platform, you must have created a role and assigned the Manage Customer Managed Key permission to that role. Any user that has the Manage Customer Managed Key permission can enable CMK for their organization.

For more information on assigning roles and permissions in Experience Platform, refer to the configure permissions documentation.

In order to enable CMK, your Azure Key Vault must be configured with the following settings:

Please read the linked documentation to better understand the process.

Process summary process-summary

CMK is included in the Healthcare Shield and the Privacy and Security Shield offerings from Adobe. After your organization purchases a license for one of these offerings, you can begin a one-time process for setting up the feature.

WARNING

After setting up CMK, you cannot revert to system-managed keys. You are responsible for securely managing your keys and providing access to your Key Vault, Key, and CMK app within Azure to prevent losing access to your data.

The process is as follows:

Configure an Azure Key Vault based on your organization’s policies, then generate an encryption key that will ultimately be shared with Adobe.
Set up the CMK app with your Azure tenant through either API calls or the UI.
Send your encryption key ID to Adobe and start the enablement process for the feature either in the UI or with an API call.
Check the status of the configuration to verify whether CMK has been enabled either in the UI or with an API call.

Once the setup process is complete, all data onboarded into Platform across all sandboxes will be encrypted using your Azure key setup. To use CMK, you will leverage Microsoft Azure functionality that may be part of their public preview program.

Implications of revoking key access revoke-access

Revoking or disabling access to the Key Vault, key, or CMK app can result in significant disruptions, that include breaking changes to your Platform’s operations. Once these keys are disabled, data in Platform may become inaccessible, and any downstream operations that rely on this data will cease to function. It is crucial to fully understand the downstream impacts before making any changes to your key configurations.

If you decide to revoke Platform access to your data, you can do so by removing the user role associated with the application from the Key Vault within Azure.

Propagation timelines propagation-timelines

After key access is revoked from your Azure Key Vault, the changes will propagate as follows:

Store Type

Description

Timeline

Primary Data Stores

These stores include Azure Data Lake and Azure Cosmos DB Profile stores. Once key access is revoked, data becomes inaccessible.

A few minutes to 24 hours.

Cached/Transient Data Stores

Includes data stores used for performance and core application functionality. The impact of key revocation is delayed.

Up to 7 days.

For example, the Profile dashboard will continue to display data from its cache for up to seven days before the data expires and is refreshed. Similarly, re-enabling access to the application takes the same amount of time to restore data availability across these stores.

NOTE

There are two use-case-specific exceptions to the seven day dataset expiration on non-primary (cached/transient) data. See their respective documentation for more information on these features.

Next steps

To begin the process, start by configuring an Azure Key Vault and generate an encryption key to share with Adobe.

recommendation-more-help

5741548a-2e07-44b3-9157-9c181502d0c5