Bring Your Own Key for Encryption at Rest

Marketing Cloud Engagement uses account-specific RSA4096 public key pairs and displays the public key to the customer's BYOK setup UI. The corresponding private key is kept inside Salesforce hosted Key Management Service (KMS) and never leaves the KMS boundary. Customers generate an intermediate AES256 key and RSA2048 encryption key, which they import via the BYOK setup UI.

The customer follows a two-step wrapping process to maintain confidentiality of the imported RSA2048 key. The intermediate AES256 key wraps the RSA2048 key. The customer-specific RSA4096 key wraps the intermediate AES256 key.

The customer provides the two wrapped key payloads to import the key. These two payloads are unwrapped inside the key management service. First the intermediate AES256 key with the corresponding RSA4096 private key is unwrapped, and then the imported RSA2048 key with the intermediate AES256 key is unwrapped.

The intermediate AES256 key is discarded and isn't stored. Imported encryption keys are stored in clear text inside the key management service. These keys are marked as non-exportable keys, so only the clear text key is visible to our system. The customer-specific database server sends encrypt and decrypt requests for that key when it needs it.

Data at Rest Encryption uses two-tier key architecture:

• The data encryption key (DEK) managed directly by the database
• The key encryption key (KEK) you provide to encrypt the data encryption key

You can your key to use for key encryption. This key takes the place of generated system keys.

This feature delivers a self-service experience for you to bring your own encryption keys to encrypt data at rest. You can manage the end-to-end lifecycle of your keys, including the import, deletion, and rotation of keys. You can also revoke a key to make all accounts and data in your tenant inaccessible. To regain access to all accounts and data in your tenant, you can restore the key.

Warning The Bring Your Own Key feature places the responsibility for creating and maintaining the key with you. Salesforce can’t recover data from a database taken offline due to key revocation. Maintain a copy of the exact key used to encrypt your database securely in your own system. Salesforce isn’t responsible for the maintenance of keys generated, imported keys, and data encrypted as part of the Bring Your Own Key feature.

When a key is revoked or deleted, it's immediately removed from the Engagement keystore. However, the system can keep a backup copy in accordance with our Marketing Cloud Trust and Compliance Documentation. This copy is deleted after the retention period. Always keep a copy of your key to access encrypted data in Marketing Cloud Engagement. Save this key value in a safe, secure location. You can use only that assigned encryption key to access the data. Otherwise, the encrypted database goes offline and you can’t restore the data from backup. The restoration process can only accept the same key used to originally encrypt the data. Only one key value is active at any time.

The overall process involves these steps.

(1) Generate the RSA encryption key.

(2) Import the encryption key.

(3) The key is active and used in the encryption process.

You can import the key using in Setup or via REST API requests. Make sure that you rotate keys regularly.

The sample commands to generate keys before the import process use an updated version of OpenSSL. You can also perform a similar function using a PKCS#11 interface on keys generated and stored on a Hardware Security Module (HSM) or an Enterprise Key Management (EKM) server.

Anyone with the Admin role can perform tasks related to your encryption keys. Allow these user permissions in the Database Encryption section of User Permissions. Assign each permission individually.

• View
• Rotate Key
• Revoke Key