Walkthrough: Configuring Always Encrypted for the Sitecore Cortex Processing databases using Windows Key Store

Abstract

How to configure Always Encrypted for the SItecore Cortex™ Processing databases using Windows Key Store.

Applies to

Sitecore Cortex™ Processing Storage database, Sitecore Cortex™ Processing Tasks database

Sitecore Installation Framework

Always Encrypted is not enabled by default.

Sitecore Azure Toolkit

Always Encrypted is not enabled by default.

The Sitecore Cortex™ Processing Tasks database and the Sitecore Cortex Processing Storage database support the Always Encrypted feature for columns that contain sensitive data. You can enable Always Encrypted for existing databases using Windows Key Store.

This walkthrough tells you how to perform the following tasks:

  • Create keys

  • Configure Cortex Processing roles

  • Configure Always Encrypted for the Tasks and Storage database

Create keys

Refer to Microsoft’s Always Encrypted documentation for information about creating and using Column Master Keys (CMK) and Column Encryption Keys (CEK). The overall steps are:

Note

If you are using Azure Web App Services but not the Azure Key Vault, see Using SQL Always Encrypted with Azure Web App Service.

Configure Cortex Processing roles

You must complete the following steps on every instance of the roles that access the Cortex Processing Tasks and Cortex Processing Storage databases:

  • Cortex Processing Engine

  • Cortex Processing Table and Blob Storage service

To configure the Cortex Processing roles to use Always Encrypted:

  1. Set the SqlCommandColumnEncryptionEnabled element to true in the following configuration files for the Cortex Processing Table and Blob Storage service roles:

    • <role-root>\App_Data\Config\Sitecore\Processing\sc.Processing.Engine.Storage.Sql.xml (enables encryption of blob storage)

  2. Set the SqlCommandColumnEncryptionEnabled element to true in the following configuration files for the Cortex Processing Engine:

    • <role-root>\App_Data\Config\Sitecore\Processing\sc.Processing.Engine.Cursors.Sql.xml (enables encryption of cursors)

    • <role-root>\App_Data\Config\Sitecore\Processing\sc.Processing.Engine.Storage.Sql.xml (enables encryption of blob storage)

    • <role-root>\App_Data\Config\Sitecore\Processing\sc.Processing.Engine.Tasks.Sql.xml (enables encryption of tasks)

    Note

    In the default topologies, the Cortex Processing Engine is located in a sub-folder in the Cortex Processing Table and Blob Storage service folder. All Cortex Processing Engine configuration files are located under: <processing-service-root>\App_data\jobs\continuous\ProcessingEngine\App_Data\Config\Sitecore\Processing

Configure Always Encrypted for the Tasks and Storage database

Important

These instructions do not apply to the xDB Processing Tasks and xDB Processing Pools databases.

To configure Always Encrypted for the Cortex™ Processing Storage and Cortex Processing Tasks databases:

  1. Configure Always Encrypted for the following columns with the corresponding encryption types: ·      

    Database

    Column

    Encryption Type

    Cortex Processing Tasks database

    [Cursors].[Bookmark]

    RANDOMIZED

    [Tasks].[Options]

    RANDOMIZED

    Cortex Processing Storage database

    [Blobs].[Value]

    RANDOMIZED

  2. Grant the following permissions to the restricted user (processingengineuser by default):

    GRANT VIEW ANY COLUMN MASTER KEY DEFINITION TO [<restricted_user>]
    GRANT VIEW ANY COLUMN ENCRYPTION KEY DEFINITION TO [restricted_user]