Walkthrough: Setting up Always Encrypted for the suppression list in EXM
Guidance on how to set up SQL Always Encrypted to protect email addresses stored in the suppression list in the database.
The EXM database implements Always Encrypted on the suppression list table that contains contacts email addresses. The Always Encrypted feature protects the email addresses stored in the suppression list database column. Always Encrypted provides transparent encryption from the database to client applications. You enable Always Encrypted for existing databases by setting up a Windows Key Store or the Azure Key Vault.
The instructions for generating column master keys (CMK) and column encryption keys (CEK) differ depending on the type of key store that you are using. You can use Windows Key Store or the Azure Key Vault to create keys.
The following steps apply if you are using Windows Key Store.
Refer to Microsoft’s Always Encrypted documentation for information about creating and storing Column Master Keys (CMK) and Column Encryption Keys (CEK). The over all steps are:
Create Column Master Key (CMK) and Column Encryption Key (CEK).
Export the CMK and import it into the appropriate certificate store on the Content Management (CM) instance that connects to the exm.master database:
Grant the CM role's user the permissions to access the CMK. If you are using the local machine certificate store, the role requires Read access.
Note
If you are using Azure Web App Services but not the Azure Key Vault, see Using SQL Always Encrypted with Azure Web App Service.
The following steps apply if you are using Azure Key Vault.
Refer to Microsoft’s Azure Key Vault documentation for information about setting up Azure Key Vault. The overall steps are:
Authorize the applications to use the key/secret.
Create a Column Master Key (CMK) and Column Encryption Key (CEK) based on the Azure Key Vault.
Configure Always Encrypted on the Suppression list table
To encrypt the Suppression list using the generated keys:
In SQL Server Management Studio, run the following:
\code\Sitecore.EmailCampaign.Database.Encrypted\CEK_EXM_Suppression.sql.In the EXM.Master database, right-click the
Suppressionstable, and then click Encrypt columns.On the Column Selection dialog window, click the Email column, and set the Encryption type and the Encryption Key. For example:
Encryption Type: Deterministic
Encryption Key: CEK_EXM_Suppression
Follow the prompts to complete the configuration.