Preparing to Use the Profile Key Manager

Before you can use the Profile Key Manager (PKM) to encrypt your data or to change the keys, you must follow the procedure that is outlined in this topic.

To prepare to use the Profile Key Manager

  1. Build an application runtime. When you deploy an application that uses encryption in the Profiles service, you should have a global repository that stores the following:

    • The current private keyIndex value (either 1 for privateKey1 or 2 for privateKey2).

    • The publicKey for encryption and current private key for decryption (publicKey/privateKey1).

    • The publicKey for encryption and prior private key for decryption (publicKey/privateKey2).

  2. Generate new keys. This generates a new publicKey/privateKey pair.

  3. Deny updates. Make sure that the application code contains logic that denies edits and updates to the encrypted properties of a profile when that profile’s keyIndex property is not equal to the current global keyIndex value.

  4. Update the application runtime. You must update the application runtime with the new key information. In the application runtime, change the values of the global keyIndex, publicKey, and privateKey to the new values.

  5. Update the stored data. Reinitialize the Profile services to use the new values.

Security

You should be unable to access the publicKey/privateKey values from the Web server, but only from the back-end application server that processes encrypted information, such as credit cards.

See Also

Other Resources

How to Add Encrypted Properties for Profiles

Profiles System Tools

Profile Key Manager

Generating a New Encryption Key

Denying Updates

Updating the Application Runtime

Updating the Stored Data

Using the Profile Key Manager

Profile Key Manager Command Line Utility Reference