Tenant key configuration

Restriction: This feature requires the Premium Data Security package, which is sold separately.

Use this screen to configure the master tenant key used to encrypt all sensitive data related to the company instance. This feature manages HSM tenant key provisioning options. Verify which is the current option selected, check if there is a key generated or in use, and see information about it.

The tenant key is the key that is used to encrypt all the secrets kept in our KMS for a particular company. These secrets, for example, may be those used to encrypt data marked as confidential when the encryption functionality of personally identifiable information (PII Encryption) is activated.

Note that the tenant key is not the same key used to encrypt PII. In both cases, clients can provide a key to use. When clients provide their own key for PII and a different key as the tenant key, Medallia Experience Cloud uses them as follows: the PII key provided will be stored in our KMS, but it is previously sent to be encrypted in the HSM using the associated tenant key.

Restriction: This feature only works on productive instances and cannot be used on sandboxes.

HSM configuration

Tenant key configuration options are:

This is the default option shown the first time you see this page. Experience Cloud does not use the HSM module, and our key management service generates and manages the tenant key as usual. For information, see Encrypting sensitive data.
Auto generated
Experience Cloud requests the HSM to generate a non-exportable key. This will be the new tenant key.

This auto-generated key is the new secret tenant key and never leaves the HSM. Our KMS will request to encrypt and decrypt messages/secrets with this secret tenant key stored in the HSM without manipulating it.

This key can be rotated on demand. There is an option to rotate the key inside the HSM Tenant Key Information section when the current key is auto-generated.

User generated
Experience Cloud enables HSM integration — it works similarly to the auto-generated option — except in this case, the client must provide the key. This key is the new secret tenant key and never leaves the HSM. Our KMS will request to encrypt and decrypt messages/secrets with the secret tenant key stored in the HSM without manipulating it.

Experience Cloud cannot rotate this key, clients must provide a new key when they want to rotate them.

User-generated key options

To securely upload this key to the HSM, follow these steps:

  1. Click Download to download the wrapper key named MedalliaWrapperKey.key. This wrapper key is generated by the HSM and it is the public key in PEM format of a RSA key-pair (bit length 4096). Both private and public keys are securely stored in the HSM.

  2. Use the wrapper to encrypt the user-generated key. To generate a key, follow the steps described in Creating and wrapping an encryption key.

  3. Upload the encrypted key by clicking Choose File and selecting the key to upload from your computer.

  4. Click Save to confirm the operation.

The user key — encrypted with the wrapper key — will securely travel to HSM by going through our key management service. There, the HSM will store it, and the KMS will associate the key ID provided by the HSM to be used as the new tenant secret key when it is needed, requesting the HSM to decrypt any message/secret associated with the tenant.

HSM tenant key information

Shows which type of HSM key provision method is currently used and displays tenant key metadata:

HSM key provisioning type.
Global unique identifier (GUID) that identifies the key in use in the HSM.
Date and time the key was created and stored.
Partition in use
Partition in the HSM where the key is stored.
Rotate key
Use this option to replace an old encryption key with a new one, and re-encrypt the data to use the new key.
Restriction: You can only rotate auto-generated keys. Experience Cloud only displays this option when the current key is auto generated.

For information, see Rotating an encryption key.