Manage Your Encryption Keys
Learning Objectives
After completing this unit, you’ll be able to:
- Create encryption keys.
- Use encryption keys in Marketing Cloud Engagement.
- Encrypt and decrypt data in Marketing Cloud Engagement.
Here Are the Keys
Marketing Cloud Engagement security revolves around keys. Keys are values used to securely allow different functions in Marketing Cloud Engagement—such as encrypting and decrypting data, managing single sign-on, or generating JSON Web Token (JWT) values for custom Journey Builder activities.
So, where can you find these keys? In Marketing Cloud Engagement, click Setup and expand the Data Management section to find the Key Management page. This page is where you create and manage your keys. You can create several different types of keys, depending on your needs. Let’s review.
- Asymmetric keys require you to upload a certificate to create the key. These keys help you encrypt and decrypt data and digitally sign email messages.
- Symmetric keys require you to create a passphrase for use with the key. This key value requires 32 hexadecimal characters. These keys help you encrypt and decrypt data and digitally sign email messages.
- Initialization vector keys allow you to specify the 16-bit value yourself, or you can let Key Management create the values for you. Use this key to enable your field level encryption implementations.
- Salt keys use a hex value longer than 8 bits. The encryption uses random bits with a password or passphrase to generate JWTs for custom Journey Builder activities.
- SSH keys allow SFTP authentication and also require an uploaded certificate.
- SSO Metadata keys allow you to integrate a single sign-on authentication for Marketing Cloud Engagement. You can only create this key if your account is enabled for SSO authentication.
Encrypt Your Data
Encryption keys play a wide variety of roles in Marketing Cloud Engagement activities. For example, you can encrypt and decrypt data at send time, as shown in this AMPscript example.
Example: Encrypt and Decrypt Data with AMPscript
The first script encrypts the value ExampleData with the provided external keys, and the second script decrypts that data.
%%[ SET @encData=EncryptSymmetric("ExampleData", "AES", "passwordExternalKey", @null, "saltExternalKey", @null, "IVExternalKey", @null) SET @clearData=DecryptSymmetric(@encData, "AES", "passwordExternalKey", @null, "saltExternalKey", @null, "IVExternalKey", @null) ]%%
You can also encrypt and decrypt data for file transfer activities in Automation Studio. Specify the key as part of the file transfer activity from the Marketing Cloud Engagement Safehouse location to an FTP Location.
Encode Your JWTs
You can also use salt keys to encode JSON Web Token (JWT) information in a Journey Builder activity. The JWT validates the identity of API calls to your custom activities. Use a JWT for activities that are retrieving sensitive data or performing sensitive actions. In this example, the sample code uses a JWT value and a salt key for the execute, save, validate, and publish activities.
Example: Encode JWTs for Journey Builder
var ixn = { "id": "...", "key": "...", "name": "My journey", "version": 1, "workflowApiVersion": 1, "activities": [ { "key": "REST-1", "name": "Custom REST Activity", "type": "REST", "outcomes": [ { "next": null } ], "arguments": { "execute": { "inArguments": [ { "message": "someMessage" } ], "outArguments": [], "url": "https://example.com/post.php?dir=et_rest_activity_execute", "body": "{email-body}", "header": "", "useJwt": true, "customerKey": "your-encryption-customer-key-here", "timeout": 10000 } }, "configurationArguments": { "save": { "url": "https://example.com/post.php?dir=et_rest_activity_save", "body": "", "header": "", "useJwt": true, "customerKey": "your-encryption-customer-key-here" }, "validate": { "url": "https://example.com/post.php?dir=et_rest_activity_validate", "body": "", "header": "", "useJwt": true, "customerKey": "your-encryption-customer-key-here" }, "publish": { "url": "https://example.com/post.php?dir=et_rest_activity_publish", "body": "", "header": "", "useJwt": true, "customerKey": "your-encryption-customer-key-here" } }, "metaData": { "isConfigured": true } } ], "triggers": [], "goals": [], "entryMode": "SingleEntryAcrossAllVersions", "executionMode": "Production", "status": "Draft" };
Implement SSO for Your Marketing Cloud Engagement Account
Lastly, any single sign-on integration requires an SSO metadata key. The information for this key changes depending on the provider used to create your integration, but you need these values to complete the process.
- SAML metadata
- Fetch data from URL (generated automatically from your provider’s specified URL)
- Provider certificate
- Entity ID
- Name ID Format
- Single Logout Service Location and Binding (determined by your provider)
Create only the keys you need to accomplish your activities and store them securely—like any other security situation, it’s not a good idea to leave keys lying around. Next, let’s take a look at the best ways to keep your web and landing pages secure.