Start tracking your progress
Trailhead Home
Trailhead Home

Manage Your Encryption Keys

Learning Objectives

After completing this unit, you’ll be able to:

  • Create encryption keys.
  • Use encryption keys in Marketing Cloud.
  • Encrypt and decrypt data in Marketing Cloud.

Here Are the Keys

Marketing Cloud security revolves around keys. Keys are values used to securely allow different functions in Marketing Cloud—such as encrypting and decrypting data, managing single sign-on, or generating JSON Web Token (JWT) values for custom Journey Builder activities.

So, where can you find these keys? In Marketing Cloud, click Setup and expand the Data Management section to find the Key Management page. This page is where you create and manage your keys. You can create several different types of keys, depending on your needs. Let’s review.

  • Asymmetric keys require you to upload a certificate to create the key. These keys help you encrypt and decrypt data and digitally sign email messages.
  • Symmetric keys require you to create a passphrase for use with the key. This key value requires 32 hexadecimal characters. These keys help you encrypt and decrypt data and digitally sign email messages.
  • Initialization vector keys allow you to specify the 16-bit value yourself, or you can let Key Management create the values for you. Use this key to enable your field level encryption implementations.
  • Salt keys use a hex value longer than 8 bits. The encryption uses random bits with a password or passphrase to generate JWTs for custom Journey Builder activities.
  • SSH keys allow SFTP authentication and also require an uploaded certificate.
  • SSO Metadata keys allow you to integrate a single sign-on authentication for Marketing Cloud. You can only create this key if your account is enabled for SSO authentication.
Note

Note

Keep in mind that you should never store sensitive data in Marketing Cloud, including:
  • Social Security, passport, driver's license, or other identification numbers issued by governments
  • Credit card, debit card, bank account, or other financial account numbers

No matter what encryption scheme you use, Marketing Cloud is not intended to store this information.

Encrypt Your Data

Encryption keys play a wide variety of roles in Marketing Cloud activities. For example, you can encrypt and decrypt data at send time, as shown in this AMPscript example.

Example: Encrypt and Decrypt Data with AMPscript 

The first script encrypts the value ExampleDate with the provided external keys, and the second script decrypts that data.

%%[
     SET @encData=EncryptSymmetric("ExampleData", "AES", "passwordExternalKey", @null, "saltExternalKey", @null, "IVExternalKey", @null)
     SET @clearData=DecryptSymmetric(@encData, "AES", "passwordExternalKey", @null, "saltExternalKey", @null, "IVExternalKey", @null)
]%%

You can also encrypt and decrypt data for file transfer activities in Automation Studio. Specify the key as part of the file transfer activity from the Marketing Cloud Safehouse location to an FTP Location.

Note

Note

Want to know more about managing your data in Marketing Cloud? Check out the Marketing Cloud Data Management module.

Encode Your JWTs

You can also use salt keys to encode JSON Web Token (JWT) information in a Journey Builder activity. The JWT validates the identity of API calls to your custom activities. Use a JWT for activities that are retrieving sensitive data or performing sensitive actions. In this example, the sample code uses a JWT value and a salt key for the execute, save, validate, and publish activities.

Example: Encode JWTs for Journey Builder

var ixn = {
   "id": "...",
   "key": "...",
   "name": "My journey",
   "version": 1,
   "workflowApiVersion": 1,
   "activities": [
      {
         "key": "REST-1",
         "name": "Custom REST Activity",
         "type": "REST",
         "outcomes": [
            {
               "next": null
            }
         ],
         "arguments": {
            "execute": {
               "inArguments": [
                  {
                     "message": "someMessage"
                  }
               ],
               "outArguments": [],
               "url": "https://example.com/post.php?dir=et_rest_activity_execute",
               "body": "{email-body}",
               "header": "",
               "useJwt": true,
               "customerKey": "your-encryption-customer-key-here",
               "timeout": 10000
            }
         },
         "configurationArguments": {
            "save": {
               "url": "https://example.com/post.php?dir=et_rest_activity_save",
               "body": "",
               "header": "",
               "useJwt": true,
               "customerKey": "your-encryption-customer-key-here"
            },
            "validate": {
               "url": "https://example.com/post.php?dir=et_rest_activity_validate",
               "body": "",
               "header": "",
               "useJwt": true,
               "customerKey": "your-encryption-customer-key-here"
            },
               "publish": {
                  "url": "https://example.com/post.php?dir=et_rest_activity_publish",
                  "body": "",
                  "header": "",
                  "useJwt": true,
                  "customerKey": "your-encryption-customer-key-here"
               }
            },
            "metaData": {
               "isConfigured": true
            }
         }
      ],
      "triggers": [],
      "goals": [],
      "entryMode": "SingleEntryAcrossAllVersions",
      "executionMode": "Production",
      "status": "Draft"
};

Implement SSO for Your Marketing Cloud Account

Lastly, any single sign-on integration requires an SSO metadata key. The information for this key changes depending on the provider used to create your integration, but you need these values to complete the process.

  • SAML metadata
  • Fetch data from URL (generated automatically from your provider’s specified URL)
  • Provider certificate
  • Entity ID
  • Name ID Format
  • Single Logout Service Location and Binding (determined by your provider)

Create only the keys you need to accomplish your activities and store them securely—like any other security situation, it’s not a good idea to leave keys lying around. Next, let’s take a look at the best ways to keep your web and landing pages secure.

Resources