Loading
Salesforce now sends email only from verified domains. Read More
Marketing Cloud Engagement
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Validate Your Own Encryption Key

            You are here:

            1. Salesforce Help
            2. Docs
            3. Marketing Cloud Engagement

            Validate Your Own Encryption Key

            You can perform this process outside of Marketing Cloud Engagement to troubleshoot key wrapping procedures to ensure you used the correct algorithms.

            Install a patched version of OpenSSL that enables AES Key Wrap Pad and a copy of xxd to perform these steps.

            1. In your command-line interface, generate a private wrapping key and extract the public key information. The salesforce_rsa_pub2 file contains the RSA public wrapping key. Use this key instead of the public key normally obtained from Engagement.

              Command: 

              openssl genrsa -out wrappingkeyprivate.pem 4096
openssl rsa -in wrappingkeyprivate.pem -outform PEM -pubout -out salesforce_rsa_pub2
            2. Generate a new key, key wrapping, and Base64 encoding. Use the salesforce_rsa_pub2 wrapping key from Step 1.
            3. Base64 decode the intermediate key to obtain the oaep_wrapped_intermediate_aes_key2 wrapped intermediate key.

              Command: 

              openssl base64 -d -in oaep_wrapped_intermediate_aes_key.b64 -out oaep_wrapped_intermediate_aes_key2
            4. Unwrap the intermediate key and produce the aeskey2.bin unwrapped intermediate key. If the file size isn’t 32 bytes, ensure that you generated a 256-bit AES key in Step 2.

              Command: 

              openssl pkeyutl -in oaep_wrapped_intermediate_aes_key2 -decrypt -inkey wrappingkeyprivate.pem -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 > aeskey2.bin
              Note
              Note A failed command can indicate a problem with the intermediate key wrapping process in Step 2. Use SHA-256 for the hash function and the mask generation function when wrapping the RSA OAEP.
            5. Convert the intermediate key binary file into the aeskey2.hex file.

              Command: 

              xxd -plain -c 100 aeskey2.bin > aeskey2.hex
SET /P AES_KEY=<aeskey2.hex
              Note
              Note To view the hex format, enter type aeskey.hex in Command Prompt or cat aeskey.hex in bash. Expect your value to match this sample output of 137c4fe6a7d08341e7756fd02050fff513e1d92ff464c35977d650b81f67a73f
            6. Base64 decode the aes_wrapped_user_rsa_key2 private key.

              Command: 

              openssl base64 -d -in aes_wrapped_user_rsa_key.b64 -out aes_wrapped_user_rsa_key2
              Note
              Note If this command fails, review the Base64 encoding process from Step 2.
            7. Unwrap the private key to the customer_key2.der file. You can use the AES key value from step 5 in the command when replacing the <YOURAESKEYVALUE> string.
              Command: 
              openssl enc -d -id-aes256-wrap-pad -nosalt -in aes_wrapped_user_rsa_key2 -K %AES_KEY% -iv A65959A6 > customer_key2.der
              Note
              Note If this command fails, ensure you used AES Key Wrap with Padding format in Step 2.
            8. Validate the private key.
              Command: 
              openssl rsa -inform DER -in customer_key2.der -check
              Note
              Note If the command displays the private key value, your validation is successful. Otherwise, review the generation and wrapping process in Step 2 for errors.
             
            Loading
            Salesforce Help | Article