Skip to main content


         This documentation site is for previous versions. Visit our new documentation site for current releases.      
 

Encrypting application data

Updated on June 30, 2021

Help secure your data by selecting the type of encryption to use in your application to encrypt and decrypt passwords, properties, and BLOBs. When you encrypt sensitive data at the application level, it inherently protects data stored in your application, and making it so only authorized parties can read it.

Caution: After you enable application data encryption, you cannot disable it and restore the default settings. However, you can change the initial encryption type to another encryption type as necessary.

You can access the Data Encryption tab from the navigation pane of Dev Studio by clicking ConfigureSystemSettingsData Encryption.

Note: The Data Encryption tab is visible to operators who have the pxCanManageDataEncryption privilege in their access roles. This privilege is part of the PegaRULES:SecurityAdministrator role.

The following encryption options are available:

Application data encryption (exposed by default)
You can change the encryption type for your application at any time by switching between the platform cipher and a custom cipher.
  • Platform cipher – The platform cipher uses the AES256-CBC with PKCS7 Padding cryptographic algorithm to encrypt and decrypt sensitive case data in your application. You need to use your own Customer Master Key (CMK), managed by your external key management service (KMS). The keys stored in AWS KMS support time-based and on-demand data key rotations. You do not need to create any custom cipher code for this encryption option.

    Caution: When changing the KMS keystore, you must activate the new keystore before you delete or disable the active Customer Master Key.
    Caution: If you delete the KMS master key or the KMS master key expires, Pega Platform cannot decrypt the previously encrypted data, which can result in data loss.

  • Forced data key rotation – You can rotate the internal encryption key at any time. This is typically done if the Customer Data Key in the platform cipher has been compromised. The key can be rotated regardless of the configured key rotation period in the keystore data instance.
  • Custom cipher – The Custom cipher is used when the platform cipher does not suit your company’s needs. To use this encryption type in your application, you need to create your own custom encryption cipher. For more information, see Creating a custom cipher.

    You can switch between the platform cipher and a custom cipher to change the encryption type for your application at any time.

    Caution: When you switch between cipher types, do not delete the original custom cipher or encryption keys. Deleting the previous custom cipher or encryption keys will make Pega Platform unable to decrypt previously encrypted data.

After you configure and activate the cipher, you specify the classes and properties to encrypt. For more information, see Encrypting the storage stream (BLOB), and Creating an access control policy for the PropertyEncrypt action.

Application master key usage history
You can see read-only data based on the application data encryption settings, which shows activation and rotation history.
System data encryption (exposed by default)
Allows you to tell Pega Platform what to use or who is providing the master key for system data encryption. The only data that is encrypted is the session cookie. There are two master key providers:
  • Pega Platform – Pega will generate the key for you.
  • Keystore – You can provide your own key by specifying a key and selecting a keystore instance.
Master key usage history
You can see read-only data based on the system data encryption settings, which shows the activation and regeneration history.

Caution: Do not delete data from the pr_data_admin_sec* tables. Doing so might result in loss of encrypted data.

For more information about encryption, see Encryption.

Related articles

Configuring the platform cipherConfiguring a custom cipherConfiguring an Amazon Key Management Service (KMS) key rotationEncrypting the storage stream (BLOB)Enabling and disabling encryption for communication among search nodesImplementing and using the TextEncrypted property typeCreating an access control policyEnabling password encryption for BIX command-line extractions in on-premises systems

Tags

Pega Platform 8.6 Security

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Visit the Support Center

Did you find this content helpful?

Yes
No

Want to help us improve this content?
Suggest an edit

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us