Walkthrough: Configuring Always Encrypted for the Sitecore Cortex Processing databases using Windows Key Store
Applies to |
Sitecore Cortex™ Processing Storage database, Sitecore Cortex Processing Tasks database |
---|---|
Sitecore Installation Framework |
Always Encrypted is not enabled by default. |
Sitecore Azure Toolkit |
Always Encrypted is not enabled by default. |
The Sitecore Cortex Processing Tasks database and the Sitecore Cortex Processing Storage database support the Always Encrypted feature for columns that contain sensitive data. You can enable Always Encrypted for existing databases using Windows Key Store.
This walkthrough tells you how to perform the following tasks:
-
Create keys
-
Configure Sitecore Cortex Processing roles
-
Configure Always Encrypted for the Tasks and Storage database
Create keys
Refer to Microsoft’s Always Encrypted documentation for information about creating and using Column Master Keys (CMK) and Column Encryption Keys (CEK). The overall steps are:
-
Create Column Master Key (CMK) and Column Encryption Key (CEK).
-
Export the CMK and import it into the appropriate certificate stores on roles that connect to the database.
-
Ensure that each role’s user has permission to access the CMK. If you are using the local machine certificate store, each role user requires Read permission.
Topology
Roles
Example User (<IdentityType>\<username>)
XP Single
xConnect (standalone, includes Cortex Processing services) (w3wp)
IIS AppPool\AppPoolName
XP Single
Sitecore Cortex Processing Engine (Windows Service)
NT AUTHORITY\LocalService
XP Scaled
Sitecore Cortex Processing service (w3wp)
IIS AppPool\AppPoolName
XP Scaled
Cortex Processing Engine (Windows Service)
NT AUTHORITY\LocalService
If you are using Azure Web App Services but not the Azure Key Vault, see Using SQL Always Encrypted with Azure Web App Service.
Configure Sitecore Cortex Processing roles
You must complete the following steps on every instance of the roles that access the Cortex Processing Tasks and Cortex Processing Storage databases:
-
Sitecore Cortex Processing Engine
-
Sitecore Cortex Processing service
To configure the Sitecore Cortex Processing roles to use Always Encrypted:
-
Set the
SqlCommandColumnEncryptionEnabled
element totrue
in the following configuration files for the Sitecore Cortex Processing service roles:-
<role-root>\App_Data\Config\Sitecore\Processing\sc.Processing.Engine.Storage.Sql.xml
(enables encryption of blob storage)
-
-
Set the
SqlCommandColumnEncryptionEnabled
element totrue
in the following configuration files for the Sitecore Cortex Processing Engine:-
<role-root>\App_Data\Config\Sitecore\Processing\sc.Processing.Engine.Cursors.Sql.xml
(enables encryption of cursors) -
<role-root>\App_Data\Config\Sitecore\Processing\sc.Processing.Engine.Storage.Sql.xml
(enables encryption of blob storage) -
<role-root>\App_Data\Config\Sitecore\Processing\sc.Processing.Engine.Tasks.Sql.xml
(enables encryption of tasks)
NoteIn the default topologies, the Sitecore Cortex Processing Engine is located in a sub-folder in the Sitecore Cortex Processing service folder. All Sitecore Cortex Processing Engine configuration files are located under:
<processing-service-root>\App_data\jobs\continuous\ProcessingEngine\App_Data\Config\Sitecore\Processing
-
Configure Always Encrypted for the Tasks and Storage database
These instructions do not apply to the xDB Processing Tasks and xDB Processing Pools databases.
To configure Always Encrypted for the Sitecore Cortex™ Processing Storage and Sitecore Cortex Processing Tasks databases:
-
Configure Always Encrypted for the following columns with the corresponding encryption types: ·
Database
Column
Encryption Type
Cortex Processing Tasks database
[Cursors].[Bookmark]
RANDOMIZED
[Tasks].[Options]
RANDOMIZED
Cortex Processing Storage database
[Blobs].[Value]
RANDOMIZED
-
Grant the following permissions to the restricted user (
processingengineuser
by default):RequestResponseshellGRANT VIEW ANY COLUMN MASTER KEY DEFINITION TO [<restricted_user>] GRANT VIEW ANY COLUMN ENCRYPTION KEY DEFINITION TO [restricted_user]