Set up customer-managed keys (CMK)

Manage data-at-rest encryption using your own encryption keys. For more information, please visit the customer-managed keys documentation.

In this video, we’ll show you how to set up customer managed keys in Experience Platform. By default, all data stored in Platform is encrypted at rest and in transit using system-level encryption. But Platform empowers you to use your own encryption keys instead, giving you greater control over your data security. The Customer Managed Keys feature is available to those organizations who’ve purchased Healthcare Shield or Privacy and Security Shield. The CMK feature allows you to store encryption keys separately from your data in a secure key vault managed and controlled exclusively by your organization. Through a single key management service, you can deauthorize access to data covered by the key. This means that you can revoke the key and Adobe will not be able to perform any operations on that data. Before we jump into the demo, let’s take a quick look at how CMK is configured in Platform. Enabling CMK in Platform is a one-time process. Once you set up customer managed keys, you cannot revert to system managed keys. The process can be broken down into four steps that span across your Azure instance and Experience Platform. First, you need to license and configure a key vault and a key within Azure, following your internal security policies and recommendations you can find in our documentation. Adobe provides you with a CMK app, which is an Azure Active Directory application. Your next step is to register this app within your key vault with the appropriate user roles, giving Experience Platform access to that vault. Once you set up the CMK app within your Azure key vault, you need to send your encryption key identifier to Adobe to enable the key configuration in Platform. Finally, you need to verify the status of the configuration in Platform. All Experience Platform steps can be done in the Platform interface or by using Platform APIs. For this video, we’re going to focus on the Platform interface. Now let’s dive into the demo to take a look at these four steps. Here, I’m logged into Azure. Let’s go ahead and create a key vault. Configure your vault according to your company’s internal security policies. Make sure that you enable the soft delete and purge protection options. If you don’t turn on these features, you could risk losing access to your data if your key vault gets deleted. Once you’re done, let’s go ahead and create the vault. To save time, I’ve gone ahead and generated a key within the key vault. We will share this key identifier with Platform in later steps. As you can see, I’ve also checked wrap key and unwrap key as permitted operations. These are the minimum required operations for the key, but you can also include encrypt, decrypt, sign, and verify if you want to. Now let’s register our CMK application. For this, we’ll jump into the encryption configuration dashboard in the Platform interface. If you don’t see the encryption section under the Administration heading in the left panel, you need an administrator to add your account to a role that has the Manage Customer Managed Keys permission. Refer to our documentation to learn how to assign roles and permissions in Experience Platform. As you can see here, we have the system managed encryption currently active for our org. I’ll click Configure to start setting up the customer managed keys. I’ll copy the application authentication URL into my browser. Since we have multiple Microsoft Azure subscriptions, we need to replace the common section of the application authentication URL with the CMK directory ID. I can find the directory ID on the Directories and Subscriptions page in the portal settings of my Azure application. I’ll copy it from here, paste it in the URL, and we’re now prompted to authenticate. Accepting this will add the CMK App Service principle to our Azure tenant. Now let’s go back to our Azure Key Vault and navigate to Access Control to complete setting up the CMK App. We now need to assign the CMK App to a user role. I’ll click Add Role Assignment. The role we need to add is the Key Vault Crypto Service encryption user. Let’s select it and click Next. The next step is to add the CMK App to the list of users assigned to this role. I’ll click Select Members and then search for the name of our application. We can grab the name from the Platform interface. Let’s add it and click Select. Then we review and assign the role, and we’ve successfully completed configuring the Key Vault and the CMK App within Azure. The next step is to enable the encryption key configuration in platform. Let’s go to the key we’ve created in the Azure Key Vault and copy the key identifier.
In the Platform interface, I’ll paste the value into the Key Vault Key Identifier field, add a descriptive configuration name, and hit Save. You’ll see our configuration is in Processing Status, so we’ll need to wait for a bit for that to complete. You can monitor and verify the status of the configuration at any time by clicking View and scrolling down to the Configuration Status progress bar. You can see that we have one step out of three completed. This is the step where Platform validates if it can access the Key and Key Vault. On step two, the Key Vault and Key Name are being added to all data stores across your organization. Step three signifies that the Key Vault and Key Name have successfully been added to the data stores. Now you know how to successfully enable customer-managed keys in Experience Platform. We hope that this video will help you ensure that the data you ingest into Platform is encrypted and decrypted using keys that your organization fully controls. Thanks for watching!
Customer-managed keys in Adobe Experience Platform are currently only available for customers of Healthcare Shield or Privacy and Security Shield.
After setting up CMK, you cannot revert to system-managed keys. You are responsible for securely managing your keys and providing access to your Key Vault, Key, and CMK app within Azure to prevent losing access to your data.