MicroStrategy ONE

Upgrade Metadata Encryption to AES256-GCM

Starting in MicroStrategy ONE (December 2024), AES-256 encryption is on by default. This update ensures that sensitive data is protected with one of the most secure encryption algorithms available. Metadata objects are encrypted to AES-256 when a manual metadata update is performed. This is a one time update. During the manual update process, a one-time performance degradation is exptected due to the encryption process, to encrypt metadata objects with the AES-256 standard. Metadata Live updates do not trigger the encryption process, only manual updates.

Starting in MicroStrategy ONE (June 2024), you can opt-in to stronger application level encryption at AES-256 for objects stored in the metadata. The encryption is turned off by default.

MicroStrategy recommends users implement full-disk and full-database level encryption as part of a comprehensive security practice.

To enable application level encryption at AES-256 prior to MicroStrategy ONE (December 2024):

You must have metadata version MicroStrategy ONE (June 2024) or later to upgrade your metadata encryption to AES-256

  1. Open the MicroStrategy REST API Explorer by appending /MicroStrategyLibrary with /api-docs/index.html?visibility=all in your browser.

  2. Create a session and authenticate it. In the Authentication section, use POST /api/auth/admin/login.

  3. Click Try Out and modify the request body by providing your user name and password.

  4. Click Execute.

  5. In the response, find X-MSTR-AuthToken.

  6. To get the current feature status:

    1. Under the Configurations section, look up GET ​/api​/v2/configurations​/featureFlags​.

    2. Click Try Out.

    3. Set the proper X-MSTR-AuthToken from step 5. You can also get this via inspecting the browser network XHR requests.

    4. Click Execute.

    5. Search for CA/EnableAES256GCM in the response body to find its status details.

  7. Under the Configurations section, look up PUT ​/api​/configurations​/featureFlags​/{id}.

  8. Click Try Out.

  9. Set the proper X-MSTR-AuthToken from step 5. You also can get this via inspecting the browser network XHR requests.

  10. Set id to 6DB42B35426C582F7D6023B5B0853061.

  11. To enable this preview feature, set the status value to 1.

  12. Click Execute.

  13. Repeat step 6 to verify that the feature is enabled.