Skip to main content
Build the future with Agentforce at TDX in San Francisco or on Salesforce+ on March 5–6. Register now.

Manage Your Encryption Keys

Learning Objectives

After completing this unit, you’ll be able to:

  • Create encryption keys.
  • Use encryption keys in Marketing Cloud Engagement.
  • Encrypt and decrypt data in Marketing Cloud Engagement.

Here Are the Keys

Marketing Cloud Engagement security revolves around keys. Keys are values used to securely allow different functions in Marketing Cloud Engagement—such as encrypting and decrypting data, managing single sign-on, or generating JSON Web Token (JWT) values for custom Journey Builder activities.

So, where can you find these keys? In Marketing Cloud Engagement, click Setup and expand the Data Management section to find the Key Management page. This page is where you create and manage your keys. You can create several different types of keys, depending on your needs. Let’s review.

  • Asymmetric keys require you to upload a certificate to create the key. These keys help you encrypt and decrypt data and digitally sign email messages.
  • Symmetric keys require you to create a passphrase for use with the key. This key value requires 32 hexadecimal characters. These keys help you encrypt and decrypt data and digitally sign email messages.
  • Initialization vector keys allow you to specify the 16-bit value yourself, or you can let Key Management create the values for you. Use this key to enable your field level encryption implementations.
  • Salt keys use a hex value longer than 8 bits. The encryption uses random bits with a password or passphrase to generate JWTs for custom Journey Builder activities.
  • SSH keys allow SFTP authentication and also require an uploaded certificate.
  • SSO Metadata keys allow you to integrate a single sign-on authentication for Marketing Cloud Engagement. You can only create this key if your account is enabled for SSO authentication.
Note
Keep in mind that you should never store sensitive data in Marketing Cloud Engagement, including:
  • Social Security, passport, driver's license, or other identification numbers issued by governments
  • Credit card, debit card, bank account, or other financial account numbers

No matter what encryption scheme you use, Marketing Cloud Engagement is not intended to store this information.

Encrypt Your Data

Encryption keys play a wide variety of roles in Marketing Cloud Engagement activities. For example, you can encrypt and decrypt data at send time, as shown in this AMPscript example.

Example: Encrypt and Decrypt Data with AMPscript 

The first script encrypts the value ExampleData with the provided external keys, and the second script decrypts that data.

%%[
     SET @encData=EncryptSymmetric("ExampleData", "AES", "passwordExternalKey", @null, "saltExternalKey", @null, "IVExternalKey", @null)
     SET @clearData=DecryptSymmetric(@encData, "AES", "passwordExternalKey", @null, "saltExternalKey", @null, "IVExternalKey", @null)
]%%

You can also encrypt and decrypt data for file transfer activities in Automation Studio. Specify the key as part of the file transfer activity from the Marketing Cloud Engagement Safehouse location to an FTP Location.

Note

Want to know more about managing your data in Marketing Cloud Engagement? Check out the Marketing Cloud Engagement Data Management module.

Encode Your JWTs

You can also use salt keys to encode JSON Web Token (JWT) information in a Journey Builder activity. The JWT validates the identity of API calls to your custom activities. Use a JWT for activities that are retrieving sensitive data or performing sensitive actions. In this example, the sample code uses a JWT value and a salt key for the execute, save, validate, and publish activities.

Example: Encode JWTs for Journey Builder

var ixn = {
   "id": "...",
   "key": "...",
   "name": "My journey",
   "version": 1,
   "workflowApiVersion": 1,
   "activities": [
      {
         "key": "REST-1",
         "name": "Custom REST Activity",
         "type": "REST",
         "outcomes": [
            {
               "next": null
            }
         ],
         "arguments": {
            "execute": {
               "inArguments": [
                  {
                     "message": "someMessage"
                  }
               ],
               "outArguments": [],
               "url": "https://example.com/post.php?dir=et_rest_activity_execute",
               "body": "{email-body}",
               "header": "",
               "useJwt": true,
               "customerKey": "your-encryption-customer-key-here",
               "timeout": 10000
            }
         },
         "configurationArguments": {
            "save": {
               "url": "https://example.com/post.php?dir=et_rest_activity_save",
               "body": "",
               "header": "",
               "useJwt": true,
               "customerKey": "your-encryption-customer-key-here"
            },
            "validate": {
               "url": "https://example.com/post.php?dir=et_rest_activity_validate",
               "body": "",
               "header": "",
               "useJwt": true,
               "customerKey": "your-encryption-customer-key-here"
            },
               "publish": {
                  "url": "https://example.com/post.php?dir=et_rest_activity_publish",
                  "body": "",
                  "header": "",
                  "useJwt": true,
                  "customerKey": "your-encryption-customer-key-here"
               }
            },
            "metaData": {
               "isConfigured": true
            }
         }
      ],
      "triggers": [],
      "goals": [],
      "entryMode": "SingleEntryAcrossAllVersions",
      "executionMode": "Production",
      "status": "Draft"
};

Implement SSO for Your Marketing Cloud Engagement Account

Lastly, any single sign-on integration requires an SSO metadata key. The information for this key changes depending on the provider used to create your integration, but you need these values to complete the process.

  • SAML metadata
  • Fetch data from URL (generated automatically from your provider’s specified URL)
  • Provider certificate
  • Entity ID
  • Name ID Format
  • Single Logout Service Location and Binding (determined by your provider)

Create only the keys you need to accomplish your activities and store them securely—like any other security situation, it’s not a good idea to leave keys lying around. Next, let’s take a look at the best ways to keep your web and landing pages secure.

Resources

Share your Trailhead feedback over on Salesforce Help.

We'd love to hear about your experience with Trailhead - you can now access the new feedback form anytime from the Salesforce Help site.

Learn More Continue to Share Feedback