Generating Encryption Keys

Each key contains three elements:

  • Public Key – used for card data encryption (stored in the Database)
  • Private Key – used for card data decryption (stored in the application memory, needs to be uploaded manually on every server restart, must be stored securely by key custodians outside of the application)
  • Passphrase – used for private key encryption (needs to be manually entered when uploading the private key into the application, must be stored securely by key custodians outside the application).

Only users with the KEY_CUSTODIAN privilege are allowed to manage Encryption keys in CloudBlue Commerce. You should keep the list of users with this permission as short as possible (see PCI DSS requirement 3.5.2). These users must learn your key management policies and sign a form stating that they understand and accept their key custodian responsibilities (see PCI DSS requirement 3.6.8).

Note: see end of Implementation guide for a sample Key Custodian form.

By default, the KEY_CUSTODIAN privilege is only included in the "Full Access" role. Since the "Full Access" role has many other privileges, we recommend that you create a separate role with only the KEY_CUSTODIAN privilege. Go to System > Settings > Security > Roles and create a new "Key Custodian" role that only includes the privileges KEY_CUSTODIAN, ACCOUNTS_VIEW_DET, CONFIG_SECURITY, and MANAGE_OWN_ACCTINFO.

As per PCI DSS requirement 3.6.6, you are required to split knowledge and establish dual control of cryptographic keys; therefore, you must have at least two users in CloudBlue Commerce with the "Key Custodian" role. Go to System > Users to create new users and/or assign roles.

As the first user, log in with your account and go to System > Settings > Encryption Keys. Click Generate New Key. Select the other Key Custodian in the User field and make up a random passphrase, then click Generate.

CloudBlue Commerce will generate a secure 2048-bit RSA key.

The other user must now log in with their account credentials (ideally from a separate computer) and go to System > Settings > Encryption Keys. There they will be able to download the auto-generated secure private key. This key must be handled and stored outside of CloudBlue Commerce in a secure way (see PCI DSS requirements 3.6.2 and 3.6.3).

To confirm that both custodians have the correct Key and Passphrase and to enable encryption, first the private key owner must re-upload his key into CloudBlue Commerce. Then the Passphrase Owner must re-enter their Passphrase. Now CloudBlue Commerce will enable encryption and will allow you to store cardholder data.

The encryption key and passphrase must be known by as few people as necessary for business purposes. You may want to distribute them to 3-4 people – each only knowing one part of the Key (passphrase or private key).

CloudBlue Commerce allows you to work with two Keys in parallel. This way, if one Key gets lost for any reason, you will be able to access the cardholder data using the second Key. You can generate the second Key at any time, and it is best to have two keys available at all times.

© 2025 Ingram Micro, Inc. All Rights Reserved. Privacy Policy, Terms of Use and Legal

CloudBlue, an Ingram Micro business, uses cookies to improve the usability of our site. By continuing to use this site and/or logging in you are accepting the use of these cookies. For more information, visit our Privacy Policy.
I accept