Skip to main content


         This documentation site is for previous versions. Visit our new documentation site for current releases.      
 

This content has been archived and is no longer being updated.

Links may not function; however, this content may be relevant to outdated versions of the product.

Encrypting system data by using a custom key management service

Updated on July 1, 2021

You can encrypt system data by using an encryption key that is sourced from a custom key management service that is accessed from a data page. You source a key in this way when you use a key management service that is not one of the supported keystore platforms.

The master key in the custom KMS must be a 128-bit AES key.
  1. Create an activity that accesses the custom KMS, configures a CustomMasterKey object, and loads the master key into KeyStoreUtils.
    1. In the header of Dev Studio, click CreateTechnicalActivity.
    2. In the Apply to (class) field, enter Data-Admin-Security-Keystore, and then click Create and open.
    3. In an activity step, enter Method equal to Java, and in the Java Source field, enter a code snippet similar to the example in step 1 of the sample activity pzSampleGetCustomMasterKey.
      Instead of the first Java command shown in the sample, your activity can use a Connect-REST step that accesses the master key from the custom KMS.
    4. Click Save.
  2. Create a data page that is loaded by the activity that you created in step 1.
    1. In the header of Dev Studio, click CreateData ModelData Page.
    2. In the Apply to (class) field, enter Data-Admin-Security-Keystore, and then click Create and open.
    3. In the Object type field, enter Data-Admin-Security-Keystore.
    4. In the Mode list, select Read-Only.
    5. In the Scope list, select Node.
    6. In the Source list, select Activity.
    7. In the Activity name field, enter the name of the activity that you created in step 1.
    8. On the Parameters tab, select the Pass current parameter page check box.
    9. Click Save.
  3. Create a keystore that is loaded from the data page that you created in step 2.
    1. In the header of Dev Studio, click CreateSecurityKeystore.
    2. In the Keystore location field, press the Down arrow key, and under KEY MANAGEMENT SYSTEM (KMS) FOR SYSTEM DATA ENCRYPTION, select Custom – Source master key from other KMS using a data page.
    3. In the Source data page field, enter the name of the data page that you created in step 2.
    4. Click Save.
  4. Identify and activate the key for system data encryption.
    1. In the header of Dev Studio, click ConfigureSystemSettingsData Encryption.
    2. In the System data encryption section, in the Keystore field, enter the name of the keystore that you created in step 3.
    3. Click Activate.
  • Configuring a keystore for a master key from a custom source

    You can configure a keystore for a master encryption key that is stored in an external source, such as a key management service. Use keystores to encrypt, authenticate, and serve content over HTTPS. Master keys can encrypt data that is temporarily stored, for example, cached requestor IDs, or data that is persisted, such as data in a database.

  • Previous topic Creating a data page activity for a keystore
  • Next topic Configuring a keystore for a master key from a custom source

Related articles

Configuring the platform cipherKeystoresData pagesKeystores

Tags

Pega Platform 8.4 Security

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Visit the Support Center

Did you find this content helpful?

Yes
No

Want to help us improve this content?
Suggest an edit

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us