Manage encryption

Note:

The concepts and procedures described in this article:

(For educational institutions only) Assets that are encrypted can't migrate to personal student accounts. For more on student asset migration, see this article.

What’s new

Adobe is updating dedicated encryption on the Admin console from directory-level to organization-level encryption. Currently, when you enable encryption for a directory, the assets of users of that directory are encrypted. Going forward, when you enable encryption on the Admin console, assets of all users in the organization would be encrypted.

To ensure no impact to your end uses, we’re implementing this change as follows:

  • If you’re a new Adobe enterprise customer, you'll get the option to set up organization-level encryption, by default.
  • If you’ve not enabled encryption on any directories in your organization, you will get the option to set up organization-level encryption.
  • We are migrating organizations that have enabled encryption on one or more directories in a phased manner. As soon as your organization is migrated, the assets of all users will be encrypted by a dedicated encryption key.  You can, however, choose to revoke the encryption key.

Introduction

Using Creative Cloud or Document Cloud for enterprise, end users can store files safely and securely. Also, users can share files and collaborate with others. Files are accessible to users via the Creative Cloud website, Creative Cloud desktop app, and Creative Cloud mobile app. Storage is available with Creative Cloud or Document Cloud for enterprise only if it is a part of your organization's agreement with Adobe.

While all data on Creative Cloud and Document Cloud is encrypted, for extra layers of control and security, you can choose to have Adobe generate a dedicated encryption key for your organization. Content is then encrypted using standard encryption with a dedicated encryption key. If necessary, you can revoke the encryption key from the Admin Console.

Dedicated encryption keys are available only with the Creative Cloud or Document Cloud for enterprise shared services plans that include storage and services.

Before enabling dedicated encryption keys, see Adobe Creative Cloud for enterprise security overview or Adobe Document Cloud security.

To upgrade your plan to include storage and services, contact your Adobe Account Manager.

Dedicated encryption keys: Considerations

Make note of the following when working with encryption keys:

  • Once you enable a dedicated encryption key, you cannot revert to using standard encryption keys.
  • You can revoke a dedicated encryption key, if necessary. If you revoke the encryption key, your users can no longer access content that has been encrypted using the encryption key. For example, if you suspect a data breach, we recommend you immediately revoke the dedicated encryption key from the Admin Console.
  • To restore access to content whose encryption key has been revoked, re-enable the encryption key from the Admin Console.
  • Dedicated encryption keys are not recommended for educational institutions. This prevent students from being able to export their content after they leave the institution.

The following data is not encrypted using the dedicated encryption key and is therefore not affected if the key is revoked:

  • Metadata (file name, collection name, font use, MIME type, and other attributes necessary to browse a collection)
  • Videos published by Adobe Spark Video
  • Lightroom photos
  • Colors that are stored by the Adobe Color service
  • All data that is managed by the Behance and Adobe Fonts services
  • All data managed by the Marketing Cloud
  • Saved application preferences
  • Information about the account holder such as name, email, licenses, and other basic user account information
  • Data of members of an organization with an Adobe ID account (unless the user is collaborating on content when Enterprise ID or Federated ID users initiated the collaboration)

Enable dedicated encryption keys

Note:

Adobe is updating encryption on the Admin console from directory-level to organization-level encryption. If you've a new customer or you've never used directory-level encryption, you will get the option to enable encryption for all users in your organization. If you've previously encrypted one or more directories, you can continue to use directory-level encryption till your organization is migrated. 

  1. Sign in to the Admin Console, and navigate to Settings > Identity > Encryption Settings.

  2. On the Encryption Settings page, enable encryption.

    Enable encryption

  3. Click Enable.

    The Enable Dedicated Encryption Key dialog box appears.

  4. Click Enable to confirm.

    The following message indicates that dedicated key encryption is now enabled:

    Dedicated key encryption enabled

  1. Sign in to the Admin Console, and navigate to Settings > Identity.

    In the Identity page, the Directory tab lists the directories in your organization.

  2. To enable a dedicated encryption key, click the directory name.

  3. Click Settings.

    The Directory Settings page is displayed.

    Note:

    If you don't see an option to use dedicated encryption keys for a specific directory, your organization has been upgraded to use dedicated encryption at the organization level.  To enable dedicated encryption key, go to Settings > Encryption Settings. For details, see the section above, on how to enable encryption at the organization level.

  4. Click Enable.

    The Enable Dedicated Encryption Key dialog box appears.

  5. Click Enable to confirm.

    When the dedicated encryption key is successfully enabled, a message indicating the success is displayed. If you have existing assets, asset encryption begins and the encryption progress is displayed. Users can continue working, uninterrupted, while the encryption process in progress.

Also, a message is displayed if, for any reason, the enabling of the encryption key fails or the key is enabled but asset encryption has failed.

Revoke dedicated encryption keys

Note:

Adobe is updating encryption on the Admin console from directory-level to organization-level encryption. If you've a new customer or you've never used directory-level encryption, you will get the option to disable encryption for all users in your organization. If you've previously encrypted one or more directories, you can continue to use directory-level encryption till your organization is migrated. 

If you revoke a dedicated encryption key, data encrypted with the encryption key is no longer accessible to users.

Note:

Users cannot open existing assets, but can browse files, folders, and view attributes. Revoking encryption key restricts all access, even uploading new content. Users will only be able to browse content

To revoke the dedicated encryption key:

  1. Sign in to the Admin Console, and navigate to Settings > Identity > Encryption Settings.

  2. On the Encryption Settings page, revoke encryption.

    Enable encryption

    The Revoke Dedicated Encryption Key dialog box appears.

  3. Click Revoke to confirm.

    When the dedicated encryption key has been successfully revoked, a message indicating the success displays. 

    Revoke success

  1. Sign in to the Admin Console, and navigate to Settings > Identity.

    In the Identity page, the Directory tab lists the directories in your organization.

  2. To revoke the dedicated encryption key, click the directory name.

  3. Click Settings.

    The Directory Settings page is displayed.

    Note:

    If you don't see an option to revoke dedicated encryption keys for a specific directory, your organization has been upgraded to use dedicated encryption at the organization level.  To revoke the dedicated encryption key, go to Settings > Encryption Settings. For details, see the section above, on how to revoke encryption at the organization level.

  4. Click Revoke.

    The Revoke Dedicated Encryption Key dialog box appears.

  5. Click Revoke to confirm.

    When the dedicated encryption key has been successfully revoked, a message indicating the success displays. 

Adobe logo

Sign in to your account