Encrypting data
To make your data more secure, you can select the type of encryption to use in your application to encrypt and decrypt passwords, properties, and BLOBs.
Access the Data Encryption tab by clicking
.The following options are available:
- Application data encryption (exposed by default)
- You can change the encryption type for your application at any time by switching between
the platform cipher and a custom cipher.
- Platform cipher – The platform cipher uses the AES256-CBC with PKCS7 Padding cryptographic algorithm to encrypt and decrypt sensitive case data in your application. You need to use your own Customer Master Key (CMK), managed by your external key management service (KMS). The keys stored in AWS KMS support time-based and on-demand data key rotations. You do not need to create any custom cipher code for this encryption option.
- Forced data key rotation – You can rotate the internal encryption key at any time. This is typically done if the Customer Data Key in the platform cipher has been compromised The key can be rotated regardless of the configured key rotation period in the keystore data instance.
- Custom cipher – The Custom cipher is used when the platform
cipher does not suit your company’s needs. To use this encryption type in your
application, you need to create your own custom encryption cipher. For more
information, see Creating a custom cipher in Pega Platform.
You can switch between the platform cipher and a custom cipher to change the encryption type for your application at any time.
After you configure and activate the cipher, you specify the classes and properties to encrypt. For more information, see Encrypting the storage stream (BLOB), and Creating an access control policy for the PropertyEncrypt action.
- Application master key usage history
- You can see read only data based on the application data encryption settings, which shows activation and rotation history.
- System data encryption (exposed by default)
- Allows you to tell Pega what to use or who is providing the master for system data
encryption. The only data that is encrypted is the session cookie. There are two masterkey
providers:
- Pega Platform – Pega will generate the key for you.
- Keystore – You can provide your own key by specifying a key and selecting a keystore instance.
- Master key usage history
- You can see read only data based on the system data encryption settings, which shows the activation and regeneration history.
For more information about encryption, see Encryption in Pega Platform.
Previous topic Security assets and the environment Next topic Configuring the platform cipher