MicroStrategy ONE

Encryption Key Manager

Encryption Key Manager (EKM) creates and manages unique encryption keys for every MicroStrategy environment. The EKM features include creating, importing, and exporting of these unique keys through Configuration Wizard. These keys encrypt potentially sensitive information stored in the metadata, cube, cache, history list, and session recovery files.

Terms and Definitions

  • Master Key: The master key encrypts the key store and is saved in the master key file. MicroStrategy Intelligence Server will look for the path to the master key in the registry upon start up.
  • Key Store: Contains keys used to encrypt the metadata and file caches. These keys are encrypted by the master key.
  • Secure Bundle: A password protected file that enables administrators to securely deploy encryption keys between clustered Intelligence Servers or servers sharing the same metadata.
  • Secure Bundle Code: The password used to protect the Secure Bundle file.

High Level Steps to Use the Encryption Key Manager

  1. Enable the Encryption Key Manager Feature and restart Intelligence Server.

  2. Using Configuration Wizard:

    • Update the metadata to apply the new encryption keys.
    • Export the Secure Bundle.

  3. To configure additional nodes in a clustered environment:

    • Enable the Encryption Key Manager Feature and restart Intelligence Server.
    • Import the Secure Bundle to each node using Configuration Wizard.

Enable the Encryption Key Manager Feature

The Encryption Key Manager is disabled by default.

Windows

To enable the Encryption Key Manager:

  1. Open the Registry Editor
  2. Navigate to HKEY_LOCAL_MACHINE > SOFTWARE > Wow6432Node > MicroStrategy > Feature Flags.
  3. Double click KE/EncryptionKeyManager.
  4. Change the Value Data field from 0 to 1.
  5. Click OK.

  6. Restart Intelligence Server.

    If Configuration Wizard is open it must be restarted as well.

Linux

To enable the Encryption Key Manager:

  1. Locate the MSIReg.reg file in your MicroStrategy root install directory.

  2. Modify the following in a text editor:

    Change

    [HKEY_LOCAL_MACHINE\SOFTWARE\MicroStrategy\Feature Flags]

    "KE/EncryptionKeyManager"=dword:00000000

    to

    [HKEY_LOCAL_MACHINE\SOFTWARE\MicroStrategy\Feature Flags]

    "KE/EncryptionKeyManager"=dword:00000001

  3. Save and close.

  4. Restart Intelligence Server.

    If Configuration Wizard is open it must be restarted as well.

Updating the Metadata with Encryption Key Manager

Once Encryption Key Manager is enabled the metadata must be updated to become encrypted. The encryption keys and master key are automatically generated and stored locally during the metadata upgrade. See the Update the Metadata chapter in the Upgrade Help for steps to complete this process.

The metadata cannot be de-encrypted once it is encrypted with the Encryption Key Manager feature enabled and the encrypted metadata objects cannot be used in an environment with the Encryption Key Manager feature disabled. Ensure a full backup of your metadata before an update.