Loading
Marketing Cloud Engagement
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Create Your Own Encryption Key

            You are here:

            1. Salesforce Help
            2. Docs
            3. Marketing Cloud Engagement

            Create Your Own Encryption Key

            You can create an encryption key in Marketing Cloud Engagement, using multiple keys for the creation and wrapping process. You provide the wrapped version of the Intermediate Key and Private Key. Use Base64 encoding for the wrapped keys before you import them.

            Always keep backups of your created key values. Engagement doesn’t retain revoked or deleted key values. This key is required to decrypt data in the messaging platform database.

            Key Name Type File Format Key Wrapping Algorithm
            Salesforce Wrapping Key RSA 4096 Public Key PEM (PKCS #8) N/A
            Intermediate Key AES 256 Binary (bytes) OAEP with SHA256 and MGF1 padding - wrap the Intermediate Key with the Salesforce Wrapping Key
            Private Key RSA 2048 Private-Public Key Pair DER (PKCS #8) AES key wrap with padding and Alternate Initial Value (RFC 5649) - wrap the Private Key with the Intermediate Key

            These steps show how to generate and wrap key files using OpenSSL. We recommend OpenSSL 3.0. These example steps aren’t always suitable for a production environment. A patch is required to enable AES key wrapping on OpenSSL 1.1.1.

            1. Hover over your name and click Setup.
            2. Type Bring Your Own Key in the search field and click Bring Your Own Key.
            3. Click New Key and select Import Wrapped Key.
            4. Copy the RSA public key value from the Wrapping Key field. You can click Copy icon next to the text field. Store the key in a file called salesforce_rsa_pub for later use. The public key remains the same value regardless of key type.
              Engagement generates an RSA 4096 for each enabled account. Access the public key value through the Wrapping Key field displayed on the Import Wrapped Key page. The corresponding private key is stored in a non-exportable configuration for unwrapping purposes.
            5. Create an AES 256 intermediate key. This command generates an AES256 key in binary format with 32 random bytes.
              Command: 
              openssl rand -out aeskey.bin 32
            6. Convert the binary AES key into HEX format. This example uses the xxd tool to perform the conversion.

              Command: 

              xxd -plain -c 100 aeskey.bin > aeskey.hex

              To view the hex format, enter type aeskey.hex in Command Prompt or cat aeskey.hex in bash.

              Sample Expected Output: 

              137c4fe6a7d08341e7756fd02050fff513e1d92ff464c35977d650b81f67a73f
            7. Encrypt the intermediate AES key from aeskey.bin created in step 5 with the Salesforce RSA key from salesforce_rsa_pub created in step 4. Use OAEP with SHA256 and MGF1 Padding. Store the output in a file called oaep_wrapped_intermediate_aes_key.
              Command: 
              openssl pkeyutl -in aeskey.bin -encrypt -pubin -inkey salesforce_rsa_pub -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 > oaep_wrapped_intermediate_aes_key
            8. Generate your RSA 2048 public-private keypair. Import this key value for use as the key encryption key. Store this key in a safe and secure location.
              Command: 
              openssl genrsa -out customer_key_private.pem 2048
            9. Convert the RSA key into pkcs#8 format and save it in a file named customer_key.der.
              Command: 
              openssl pkcs8 -topk8 -inform pem -in customer_key_private.pem -outform der -nocrypt -out customer_key.der
            10. Encrypt the RSA key with the intermediate AES key. Use the AES key value from step 6 in the command when replacing the <YOURAESKEYVALUE> string.
              Command: 
              openssl enc -id-aes256-wrap-pad -nosalt -in customer_key.der -K <YOURAESKEYVALUE> -iv A65959A6 > aes_wrapped_user_rsa_key
              Sample Command: 
              openssl enc -id-aes256-wrap-pad -nosalt -in customer_key.der -K 94607bc6e0078bc1e07a99fafb37f494933b8b8cff085ac308fdbaed988642f8 -iv A65959A6 > aes_wrapped_user_rsa_key
            11. Store the intermediate AES wrapped key in a file called oaep_wrapped_intermediate_aes_key.b64.
              Command: 
              openssl base64 -in oaep_wrapped_intermediate_aes_key -out oaep_wrapped_intermediate_aes_key.b64
            12. Store the wrapped RSA key in a file called aes_wrapped_user_rsa_key.b64
              Command: 
              openssl base64 -in aes_wrapped_user_rsa_key -out aes_wrapped_user_rsa_key.b64
             
            Loading
            Salesforce Help | Article