Configuring a Google Cloud KMS keystore
Configure a keystore by referencing an encryption key that is stored in Google Cloud key management service (KMS).
- If you have not yet defined your cryptographic key in Google Cloud KMS, create
a Google project, a service account, and a keyring. For details, see your Google
Cloud KMS documentation and Creating a keystore for application data encryption.
- Create a service account with a role equal to Cloud KMS CryptoKey Encrypter/Decrypter, and download the account credentials as a .json file.
- Create a keyring and a symmetric key, and copy the key ID in Google resource name format.
- Open a keystore from the navigation panel by clicking and selecting a Google Cloud KMS keystore from the instance list.
- Click Upload file, and select the service account credentials file that you downloaded in step 1a.
- In the Customer master key ID field, enter the key in Google resource name format that you copied in step 1b.
- In the Customer data key rotation in days field, enter
the number of days after which the customer data key (CDK) rotates.
Note: The recommended (default) value is 90 days. You can set the rotation to any time between 30 and 365 days.
- Click Test connectivity to verify that all fields are filled out correctly and that Pega Platform can connect to Google Cloud KMS and find your key.
- Click Save.
Previous topic Configuring a HashiCorp Vault keystore Next topic Encrypting application data by using a custom key management service