Encrypting application data by using a custom key management service
You can encrypt application data by using an encryption key that is sourced from a custom key management service that is accessed from a data page. You source a key in this way when you use a key management service that is not one of the supported keystore platforms.
The master key in the custom KMS must be a 128-bit AES key.
- Create an activity that accesses the custom KMS, configures a
CustomMasterKey object, and loads the master key into
KeyStoreUtils.
- In the header of Dev Studio, click .
- In the Apply to (class) field, enter Data-Admin-Security-Keystore, and then click Create and open.
- In an activity step, enter Method equal to Java, and in the Java Source field, enter a code snippet similar to the example shown in step 2 of the sample activity pzSampleGetCustomMasterKey.
- Click Save.
- Create a data page that is loaded by the activity that you created in step
1.
- In the header of Dev Studio, click .
- In the Apply to (class) field, enter Data-Admin-Security-Keystore, and then click Create and open.
- In the Object type field, enter Data-Admin-Security-Keystore.
- In the Mode list, select Read-Only.
- In the Scope list, select Thread.
- In the Source list, select Activity.
- In the Activity name field, enter the name of the activity that you created in step 1.
- On the Parameters tab, select the Pass current parameter page check box.
- On the Load Management tab, in the Refresh strategy section, select the Reload once per interaction check box.
- Click Save.
- Create a keystore that is loaded from the data page that you created in step
2.
- In the header of Dev Studio, click .
- In the Keystore location field, press the Down arrow key, and under KEY MANAGEMENT SYSTEM (KMS) FOR APPLICATION DATA ENCRYPTION, select Custom – Source master key from other KMS using a data page.
- In the Source data page field, enter the name of the data page that you created in step 2.
- Click Save.
- Identify and activate the key for application data encryption.
- In the header of Dev Studio, click .
- In the Application data encryption section, in the Keystore field, enter the name of the keystore that you created in step 3.
- Click Activate.
Previous topic Configuring a Google Cloud KMS keystore Next topic Encrypting system data by using a custom key management service