Updating Expired Encryption Keys in AEP Data flows | Community
Skip to main content
A
AEPuser16
Level 2
June 20, 2025
Solved

Updating Expired Encryption Keys in AEP Data flows

  • June 20, 2025
  • 1 reply
  • 768 views

Hi Everyone,

 

The encryption keys in Adobe Experience Platform (AEP) have expired. We created new encryption keys with the same names as the expired ones and deleted the expired keys from AEP. Since then, our existing incremental data flows have started to fail.

The public key has been shared with the team responsible for posting encrypted source files to Azure. We create data flows via API using these Azure source files, specifying the encryption details through the publicKeyId.

We attempted to update the publicKeyId in the existing data flows using a PATCH request. Although the request returns a 200 OK response, the update does not appear to be applied correctly. When retrieving the dataflow details, both the old and new publicKeyId values are still visible.

Could you please advise on the correct method to update the publicKeyId in existing data flows? Is it necessary to recreate all data flows using the new publicKeyId?

Additionally, how long does it typically take for expired keys to be fully removed from the system?

 

Thank you for your assistance.

 

Best answer by AnkitJasani29

Hi @aepuser16 ,

It seems the existing mapping set was removed, which was not expected. Ideally, PATCH the existing dataflow via the Flow Service API to update only the encryption key within the transformations block - without affecting the mappings, schedule, or other configurations.

I suggest to confirm it with support team as well once as based on https://experienceleague.adobe.com/en/docs/experience-platform/sources/api-tutorials/update-dataflows above behavior should not happen.

Thanks,

Ankit

1 reply

AnkitJasani29
AnkitJasani29
Level 6
June 26, 2025

Hi @aepuser16 ,

You must update the entire source connection and dataflow as a unit. You cannot patch encryption-only settings. Adobe’s Flow Service API requires creating a new source connection and a new dataflow that reference the updated publicKeyId, then retiring the old ones.

Yes, it's necessary. Incremental flows using the old key need to be recreated with the new publicKeyId. You can't swap the key in an active flow via PATCH alone as I am aware based on below reference link. Still you can confirm with Adobe Support team by generating ticket once.

Reference link for above: https://experienceleague.adobe.com/en/docs/experience-platform/sources/api-tutorials/update-dataflows

AEP itself may purge expired key references within minutes to 24 hours in primary stores, and up to 7 days in transient stores.

Reference link for above: https://experienceleague.adobe.com/en/docs/experience-platform/landing/governance-privacy-security/customer-managed-keys/overview

Thanks,

Ankit

A
AEPuser16Author
Level 2
June 26, 2025

Hi @ankitjasani29 ,

 

Thanks for the information. I just wanted to clarify — if encryption keys expire, does that mean we would need to create new data flows each time with new encryption key? Since we manage multiple data flows, I’m a bit concerned this might lead to a growing number of redundant data flows over time. Or should I later disable and then delete the data flows that use the old encryption key? I’d appreciate any guidance on how to best handle this scenario.

Additionally, we’ve created the Adobe Managed Key via API. Does that mean we need to manually track the expiry date and create a new encryption key each time? Or is there a more efficient way to manage this?

 

Thanks,

 

Terms & ConditionsAccessibility statement

Loading footer...