Frequently Asked Questions

Find answers to common questions about Field Level-Encryption in Marketing Cloud Engagement.

• Can I Change or Rotate My Keys?
  You can't rotate your Data Encryption Key (DEK). However, you can rotate the Key Encryption Key (KEK) that Marketing Cloud Engagement uses to encrypt your DEK.
• What Happens to Data from Audience Builder?
  Marketing Cloud Engagement doesn’t decrypt data from Audience Builder. You can add data to encrypted fields, but you can’t query them.
• How is Field-Level Encryption Different from Data at Rest Encryption?
  Data at Rest Encryption encrypts the underlying files stored in the file system. It’s transparent to Marketing Cloud Engagement and doesn’t impact other features. Field-Level Encryption (FLE) protects sensitive data at the level of the Marketing Cloud Engagement application. Users and admins can’t view FLE data as plain text in the Marketing Cloud Engagement web interface.
• Can I Create a Data Extension with Field-Level Encryption Without Using a Template?
  Yes. Use Contact Builder to create data extensions that use Field-Level Encryption. You don't need to copy an existing data extension that uses Field-Level Encryption.
• Why Do All Email Addresses Look the Same When Field-Level Encryption Is Enabled?
  When field-level encryption is turned on, email addresses in the All Subscribers list are shown in a similar format. Encrypted email addresses are displayed in this format: Email_Unavailable_760544@exct.net.
• Can I Use Suppression Lists When Field-Level Encryption is Enabled?
  Yes, you can use still suppression lists after enabling Field-Level Encryption. Add subscribers to your suppression lists by using their subscriber keys.
• Can I Use Data Filters when Field-Level Encryption is Enabled?
  No, you can’t use data filters when Field-Level Encryption is enabled in your account. Additionally, you can’t filter encrypted values or save data filters with encrypted fields.
• How Do Query Activities Work with Field-Level Encryption?
  You can use plain text values to filter, copy, or overwrite data in other data extensions with matching field types. Marketing Cloud Engagement can perform AMPscript functions on unencrypted data in a data extension, but can’t encrypt or decrypt manipulated data.
• Which Account Types Can Use Field-Level Encryption?
  All Marketing Cloud Engagement account types can use Field-Level Encryption if they meet the requirements for doing so.
• Which Send Types Does Field-Level Encryption Support
  Field-Level Encryption supports data extension sends and triggered sends.
• How Do I View the Data in an Encrypted Field?
  Marketing Cloud Engagement automatically decrypts data stored in encrypted fields. Use personalization strings in sent emails, web pages, preview sends and landing pages to view the unencrypted data.
• Can I Use Field-Level Encryption with Tokenized Sending or Data Obfuscation?
  No, you can’t use Field-Level Encryption with tokenized sending or data obfuscation.
• Can I Use Field-Level Encryption with Data at Rest Encryption?
  You can use Data at Rest Encryption at the same time as Field-Level Encryption. Data at Rest Encryption encrypts the underlying files stored in the file system. Field-Level Encryption is applied at the application level for certain configurable fields.
• Can I Use Mobile Studio with Field-Level Encryption?
  You can use Mobile Studio with Field-Level Encryption. Mobile Studio doesn’t permit encryption for mobile numbers used as subscriber keys and doesn’t decrypt mobile numbers at send time.