Skip to main content

Walkthrough: Setting up Always Encrypted for the suppression list in EXM


Guidance on how to set up SQL Always Encrypted to protect email addresses stored in the suppression list in the database.

The EXM database implements Always Encrypted on the suppression list table that contains contacts email addresses. The Always Encrypted feature protects the email addresses stored in the suppression list database column. Always Encrypted provides transparent encryption from the database to client applications. You enable Always Encrypted for existing databases by setting up a Windows Key Store or the Azure Key Vault.

The instructions for generating column master keys (CMK) and column encryption keys (CEK) differ depending on the type of key store that you are using. You can use Windows Key Store or the Azure Key Vault to create keys.

The following steps apply if you are using Windows Key Store.

Refer to Microsoft’s Always Encrypted documentation for information about creating and storing Column Master Keys (CMK) and Column Encryption Keys (CEK). The over all steps are:


If you are using Azure Web App Services but not the Azure Key Vault, see Using SQL Always Encrypted with Azure Web App Service.

The following steps apply if you are using Azure Key Vault.

Refer to Microsoft’s Azure Key Vault documentation for information about setting up Azure Key Vault. The overall steps are:

Configure Always Encrypted on the Suppression list table

To encrypt the Suppression list using the generated keys:

  1. In SQL Server Management Studio, run the following: \code\Sitecore.EmailCampaign.Database.Encrypted\CEK_EXM_Suppression.sql.

  2. In the EXM.Master database, right-click the Suppressions table, and then click Encrypt columns.

  3. On the Column Selection dialog window, click the Email column, and set the Encryption type and the Encryption Key. For example:

    • Encryption Type: Deterministic

    • Encryption Key: CEK_EXM_Suppression

  4. Follow the prompts to complete the configuration.