Walkthrough: Configuring Always Encrypted for the Sitecore Cortex Processing databases using Azure Key Vault

Version: 10.4

Applies to	Sitecore Cortex™ Processing Storage database, Sitecore Cortex Processing Tasks database
Sitecore Installation Framework	Always Encrypted is not enabled by default.
Sitecore Azure Toolkit	Always Encrypted is not enabled by default.

The Sitecore Cortex Processing Tasks database and the Sitecore Cortex Processing Storage database support the Always Encrypted feature for columns that contain sensitive data. You can enable Always Encrypted for existing databases using Azure Key Vault.

This walkthrough tells you how to perform the following tasks:

Create keys
Configure Sitecore Cortex Processing roles
Configure Always Encrypted for the Tasks and Storage database

Create keys

Refer to Microsoft’s Azure Key Vault documentation for information about setting up Azure Key Vault. The overall steps are:

Create a key vault and a new key.
Register applications (xConnect roles) in Azure Active Directory.
Authorize the applications to use the key/secret.
Create a Column Master Key (CMK) and Column Encryption Key (CEK) based on the Azure Key Vault. For information on how to do this, see the Master Key Configuration section in the Microsoft documentation.

Configure Sitecore Cortex Processing roles

You must complete the following steps on every instance of the roles that access the Sitecore Cortex Processing Tasks and Sitecore Cortex Processing Storage databases:

Sitecore Cortex Processing Engine
Sitecore Cortex Processing service

To configure the Sitecore Cortex Processing roles to use Always Encrypted:

Set the SqlCommandColumnEncryptionEnabled element to true in the following configuration files for the Sitecore Cortex Processing service role:
- <role-root>\App_Data\Config\Sitecore\Processing\sc.Processing.Engine.Storage.Sql.xml (enables encryption of blob storage)
Set the SqlCommandColumnEncryptionEnabled element to true in the following configuration files for the Sitecore Cortex Processing Engine:
- <role-root>\App_Data\Config\Sitecore\Processing\sc.Processing.Engine.Cursors.Sql.xml (enables encryption of cursors)
- <role-root>\App_Data\Config\Sitecore\Processing\sc.Processing.Engine.Storage.Sql.xml (enables encryption of blob storage)
- <role-root>\App_Data\Config\Sitecore\Processing\sc.Processing.Engine.Tasks.Sql.xml (enables encryption of tasks)
Note

In the default topologies, the Sitecore Cortex Processing Engine is bundled with the Cortex Processing roles. All Cortex Processing Engine configuration files are located under: <processing-service-root>\App_data\jobs\continuous\ProcessingEngine\App_Data\Config\Sitecore\Processing
Enable <role-root>\App_Data\Config\Sitecore\CoreServices\sc.Xdb.Sql.Common.Encryption.AzureKeyVault.xml.disabled. You must perform this step on both the Cortex Processing Engine and the Cortex Processing Table and Storage service.

Note

This file defines the names of the ClientIdAppSettingsKey (devault value: AzureKeyVaultClientId) and ClientSecretAppSettingsKey (default value: AzureKeyVaultClientSecret) settings. You do not need to change these settings.
In <role-root>\App_Config\AppSettings.config (), add the following app settings. You must perform this step on both the Sitecore Cortex Processing Engine and the Sitecore Cortex Processing Table and Storage service. Copy values for it from the Azure Key Vault (ClientId and SecretId):
RequestResponse
```
<add key="AzureKeyVaultClientId" value="1fb143e0-b103-472b-a281-c8727d3dfb2f" />
<add key="AzureKeyVaultClientSecret" value="mfCEb0z5r3UOIBMG38tpbdi1OvC9NvUSJV9u+VwpGEg="" />
```

Configure Always Encrypted for the Tasks and Storage database

Important

These instructions do not apply to the xDB Processing Tasks and xDB Processing Pools databases.

To configure Always Encrypted for the Sitecore Cortex™ Processing Storage and Sitecore Cortex Processing Tasks databases:

Configure Always Encrypted for the following columns with the corresponding encryption types: ·

Database	Column	Encryption Type
Cortex Processing Tasks database	[Cursors].[Bookmark]	RANDOMIZED
Cortex Processing Tasks database	[Tasks].[Options]	RANDOMIZED
Cortex Processing Storage database	[Blobs].[Value]	RANDOMIZED

Grant the following permissions to the restricted user (processingengineuser by default):

RequestResponse

GRANT VIEW ANY COLUMN MASTER KEY DEFINITION TO [<restricted_user>]
GRANT VIEW ANY COLUMN ENCRYPTION KEY DEFINITION TO [restricted_user]

Do you have some feedback for us?

If you have suggestions for improving this article,