Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      

Creating a keystore for application data encryption

Updated on March 15, 2022

Create a keystore instance for your keystore file, which contains the keys and certificates that are used, for example, to support Web Services Security and outbound email security.

Before you begin: Obtain a keystore file that is signed by a certificate authority or is self-signed, and make it available as a file or as a URL. Obtaining the keystore file is done outside of Pega Platform. If the file has a password, you also need the password. For more information, see your security administrator.
  1. In the header of Dev Studio, click CreateSecurityKeystore.
  2. In the Short description field, enter a name for the keystore.
  3. In the Keystore field, enter an ID for the keystore.
  4. Click Create and open.
  5. In the Keystore location field, press the Down arrow key and select the key management system or keystore source:


    • Amazon Key Management Service (KMS) — Reference an encryption key that is stored in Amazon Web Services Key Management Service (AWS KMS).
    • Microsoft Azure Key Vault — Reference an encryption key that is stored in Microsoft Azure Key Vault.
    • HashiCorp Vault — Reference an encryption key that is stored in HashiCorp Vault.
    • Google Cloud KMS — Reference an encryption key that is stored in Google Cloud KMS.
    • Custom — Source master key from other KMS using a data page – Reference an encryption key that is stored in an external custom source and is retrieved by using a data page. For details on configuring a custom KMS for application data encryption, see Encrypting application data by using a custom key management service.



    • Upload file — Upload the keystore file, such as a Java KeyStore (JKS) file.
    • Reference to file — Reference the keystore file from a file location.
    • Reference to URL — Reference the keystore file that contains public keys from a URL address.
    • Reference to data page — Reference the keystore that is stored in a data page.
  6. Configure the keystore based on the keystore location that you selected.
  • Previous topic Key management system for application data encryption
  • Next topic Configuring an Amazon Web Services Key Management Service keystore

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us