
Mc Overview Encryption Implementation Guide
DOWNLOAD
First things first !
To download this implementation guide, click the download button below.
If you need more information about the implementation guide, you can read the Table of Contents below.
FieldLevel Encryption and
Encrypted Data Sending
Implementation Guide
Salesforce Spring
salesforcedocs
Last updated November
Copyright Salesforce Inc All rights reserved Salesforce is a registered trademark of Salesforce Inc as are other
names and marks Other marks appearing herein may be trademarks of their respective owners
CONTENTS
FieldLevel Encryption Implementation Guide
Set Up FieldLevel Encryption
FieldLevel Encryption Use Cases for Implementation and Testing
FieldLevel Encryption Best Practices and Limitations
FIELDLEVEL ENCRYPTION IMPLEMENTATION GUIDE
FieldLevel Encryption stores encrypted data at rest in a data extension You can mark text or emailaddress fields in a data extension as
encrypted This feature allows you to store sensitive data in Marketing Cloud databases using an encrypted format Data shown in
Marketing Clouds user interface is shown as encrypted data even to Marketing Cloud users Marketing Cloud decrypts the data only at
send time for use in email message and landingpage personalization
Who This Guide Is For
This guide is for Marketing Cloud admins partners and developers to implement FieldLevel Encryption and Encrypted Data Sending
and to configure specific features
Before You Start
FieldLevel Encryption must be enabled for your account FieldLevel Encryption is available only for new accounts and it functions with
any account type This feature requires a subscriber key value for each contact You can use FieldLevel Encryption with data encrypted
at rest FieldLevel Encryption works only with text and emailaddress fields
FieldLevel Encryption doesnt function with
Data obfuscation
Data masking
Tokenized Sending
SMS messages
Push messages
Listbased sending
Data added or updated in a customer profile center
Audience Builder segments filters and queries
Set Up FieldLevel Encryption
Review this information and follow these steps to set up FieldLevel Encryption in your Marketing Cloud account
FieldLevel Encryption Data Imports
With FieldLevel Encryption turned on import data into the Marketing Cloud using one of these methods
Method
Option
Imports
None
API Call
CreateRow
UpdateRow
FieldLevel Encryption Implementation Guide
FieldLevel Encryption Data Exports
Method
Option
Triggered Send
None
Data Extension AMPscript Functions
Lookup
InsertDE
UpsertDE
You can also input data directly into the data extension by adding individual records This method encrypts data as well The Marketing
Cloud builds a message using encrypted data then converts that data to plain text using a symmetric key at send time The system then
sends the message from our mail transfer agent MTA The Marketing Cloud stores all tracking and deliverability information as identified
by the corresponding subscriber key values
FieldLevel Encryption Data Exports
With FieldLevel Encryption turned on export data from the Marketing Cloud using one of these methods
FTP export of a data extension from Contact Builder
File download of a data extension via browser from Contact Builder
Extract via Interactions this method exports data as encrypted data only
API retrieval of a data extension
Encryption Configuration Options
When enabling FieldLevel Encryption in Marketing Cloud Security and Encryption products you can encrypt and import data into your
Marketing Cloud account You can also import plain text into your Marketing Cloud account and encrypt the data as part of the import
process You can also choose the method to display the data which is also encrypted by default
Choose one of these options when enabling FieldLevel Encryption for your account
You can encrypt your data yourself and import it into your Marketing Cloud Any extracted or exported data remains in the same
encrypted format used before the import process
You import plain text data into your Marketing Cloud account Marketing Cloud encrypts that data as part of the import process
Marketing Cloud then decrypts any extracted or exported data Marketing Cloud exports any data using a data extension export to
an FTP location as unencrypted data
You choose to display data in Preview landing pages View as Webpage Forward to a Friend platform apps and Send Logging in
unencrypted text By default the Marketing Cloud encrypts this data
Implement FieldLevel Encryption
Follow these steps to implement FieldLevel Encryption in your Marketing Cloud account
To enable FieldLevel Encryption for your new Marketing Cloud account contact your Marketing Cloud account representative or Partner
Success Services Implementation for this feature requires the purchase and completion of a Marketing Cloud Services engagement
before performing any configuration in your Marketing Cloud account Ensure that you understand the prerequisites and account changes
for this product before proceeding Log in to your Marketing Cloud account as an administrative user to perform this implementation
Open Key Management under Data Management in the Setup section of your account
FieldLevel Encryption Implementation Guide
Salesforce Shield and FieldLevel Encryption Compatibility
To create a symmetric key provide the required information Generate the key value for the preshared key field using a
cryptographically secure random number generator Marketing Cloud supports AES encryption Use a character hexadecimal
string for the key Your internal team can provide information for obtaining the key
Save your key and return to the Key Management page
To create an initialization vector IV provide the required information Use a character hexadecimal string for the IV value
Save your IV
After you use this key value to encrypt data you cant change the key value After the Services engagement for this feature completes
you can mark fields in a data extension for encryption In Contact Builder a checkbox that enables encryption appears next to text and
email address data extension fields
Salesforce Shield and FieldLevel Encryption Compatibility
You can use Salesforce Shield and FieldLevel Encryption with Sales and Service Clouds
Event Monitoring
Audit Trail
Platform Encryption
The Marketing Cloud does not offer Audit Trail or Event Monitoring via the Marketing Cloud app However FieldLevel Encryption does
encrypt data at rest and can support Platform Encryption users The Marketing Cloud can import data automatically from the Sales and
Service Clouds using the Marketing Cloud Connector This process decrypts the data from these clouds and transmits that data over a
secure communication channel to Marketing Cloud As the data arrives in Marketing Cloud those fields are encrypted use FieldLevel
Encryption The connector establishes a relationship between a Salesforce org and a Marketing Cloud account
You can accomplish this process using one of the following four methods
Synchronized Data Sources
Synchronized Data Sources supports Platform Encryption This feature synchronizes data from your Salesforce org at specified time
intervals including data schema and relationships previously established in your Salesforce CRM account The Marketing Cloud encrypts
fields identified as encrypted using Platform Encryption An enabled user views encrypted data in the Sales or Service Cloud They can
also select fields for synchronization in the Marketing Cloud which imports and stores this data in Synchronized Data Extensions The
Marketing Cloud reencrypts this data using the FieldLevel Encryption symmetric key upon import
Reports and Campaign Sends
Reports and Campaign Sends supports Platform Encryption After installing the Marketing Cloud Connector you can send to Reports
and Campaigns directly from your Sales Cloud account A Marketing Cloud account enabled with FieldLevel Encryption encrypts data
identified as encrypted from the Sales or Service Cloud
Journey Builder Events
Journey Builder Events do not support Platform Encryption The Marketing Cloud does not reencrypt data imported via events Journey
Builder lets you create an entry event to power a journey based on Sales and Service Cloud data Journey Builder then creates associated
data extensions as it creates the entry events The Marketing Cloud does not encrypt data taken from the Sales and Service Clouds as
part of these entry events currently You can use Journey Builder with FieldLevel Encryption and implement Synchronized Data Extensions
instead of data imports to maintain encryption
FieldLevel Encryption Implementation Guide
FieldLevel Encryption Use Cases for Implementation and
Testing
Automation Studio Imports
Automation Studio imports do not support Platform Encryption Automation Studio permits you to create an import activity that can
import Sales and Service Cloud data into the Marketing Cloud The Marketing Cloud does not encrypt this data once imported You can
synchronize encrypted Salesforce Objects data using Synchronized Data Extensions
FieldLevel Encryption Use Cases for Implementation and Testing
These use cases demonstrate effective processes to set up and test FieldLevel Encryption in your Marketing Cloud account
Create an Encryption Key
Create an encryption key in Marketing Cloud for use with FieldLevel Encryption This use cases places a symmetric key and IV value in
your Marketing Cloud account
This use cases requires the Marketing Cloud Admin role or the Key Admin permission in Data Management under Admin
In Setup click Key Management
Select Symmetric
Enter a name and external key value for your key
Enter a bit key value for your preshared key value This value requires hex characters
Copy the bit key value and enter the value again
Click Save
Click Create
Select your initialization vector IV value This value requires hex characters
Enter the IV value in the IV field
Click Save
Create a Data Extension with Encryption Fields
Create a data extension with encrypted fields in Marketing Cloud for use with FieldLevel Encryption Use this information to encrypt
text and email address type fields
This use case requires FieldLevel Encryption enablement for your account You must create an encryption key for this use case
In Contact Builder click Data Extensions
Click Create
Enter the information for your data extension and click Next
Implement your data retention policy and click Next
Add the fields to your data extension For each field to encrypt select Encrypt Data This feature supports only text and email fields
Click Complete
Click Import
Click Create
Perform the steps to import data into your new data extension
FieldLevel Encryption Implementation Guide
FieldLevel Encryption Best Practices and Limitations
In Contact Builder the data extension displays ciphertext for encrypted fields The All Subscribers list shows an
EmailUnavailableSubscriberID format value for encrypted email addresses
FieldLevel Encryption Best Practices and Limitations
This information helps you understand FieldLevel Encryption limitations and how to best manage your encrypted data
FieldLevel Encryption Limitations
These limitations apply when working with FieldLevel Encryption in Marketing Clouds Security and Encryption products
Note Implementation for this feature requires the purchase and completion of a Marketing Cloud Services engagement prior to
performing any configuration in your Marketing Cloud account This requirement includes the creation of any new business units
To enable FieldLevel Encryption for your new Marketing Cloud account contact your Marketing Cloud account representative or
Partner Success Services
Use only data extensions created specifically for FieldLevel Encryption with this feature
Configure FieldLevel Encryption before configuring any data synchronization with Sales or Service Clouds
FieldLevel Encryption doesnt support segmenting filtering or querying encrypted fields
Encrypted data appears encrypted on Discover and standard reports The sendto domain appears as exctnet
FieldLevel Encryption doesnt support autosuppression lists Instead create a list with only the subscriber key values to suppress
and assign that list for use in your account
You cant add or update encrypted data via Marketing Cloud Use imports AMPscript triggered sends or API calls or manually add
records into a data extension using Contact Builder
FieldLevel Encryption doesnt support encryption of a mobile number used as a subscriber key value
FieldLevel Encryption doesnt support encryption for primary key fields or subscriber key values
You can use MobileConnect and MobilePush in accounts using FieldLevel Encryption but messages cant include any encrypted
fields
You cant turn off FieldLevel Encryption after you enable it
FieldLevel Encryption doesnt support listbased sending
Accounts enabled for FieldLevel Encryption dont support data filters Use query activities instead
Use queries instead of data relationships with FieldLevel Encryption Data relationships dont support FieldLevel Encryption
Encrypted fields dont support default values in data extensions
APIbased triggered sends support encryption only for email addresses Triggered sends cant decrypt nonemailaddress information
and send the encrypted string instead
If you include the emailaddr personalization string in your email messages any sendlog used contains the unencrypted email address