Encrypting system data by using a custom key management service
Encrypt system data using an encryption key that is sourced from a Custom Key management service (KMS) that is accessed from a data page. For system data encryption, you can only use the Custom Key management service.
- Create an activity that accesses the custom KMS, configures a
CustomMasterKey object, and loads the master key into
KeyStoreUtils.
- In the header of Dev Studio, click .
- In the Apply to (class) field, enter Data-Admin-Security-Keystore, and then click Create and open.
- In an activity step, in the Method field, enter
Java, and in the Java
Source field, enter a code snippet similar to the
example in step 1 of the sample activity
pzSampleGetCustomMasterKey.Instead of the first Java command shown in the sample, your activity can use a Connect-REST step that accesses the master key from the custom KMS.
- Click Save.
- Create a data page that is loaded by the activity that you created in step
1.
- In the header of Dev Studio, click .
- In the Apply to (class) field, enter Data-Admin-Security-Keystore, and then click Create and open.
- In the Object type field, enter Data-Admin-Security-Keystore.
- In the Mode list, select Read-Only.
- In the Scope list, select Node.
- In the Source list, select Activity.
- In the Activity name field, enter the name of the activity that you created in step 1.
- On the Parameters tab, select the Pass current parameter page check box.
- Click Save.
- Create a keystore that is loaded from the data page that you created in step
2.
- In the header of Dev Studio, click .
- In the Keystore location field, press the Down arrow key, and under KEY MANAGEMENT SYSTEM (KMS) FOR SYSTEM DATA ENCRYPTION, select Custom – Source master key from other KMS using a data page.
- In the Source data page field, enter the name of the data page that you created in step 2.
- Click Save.
- Identify and activate the key for system data encryption.
- In the header of Dev Studio, click .
- In the System data encryption section, in the Keystore field, enter the name of the keystore that you created in step 3.
- Click Activate.
- Configuring a keystore for a master key from a custom source
Configure a keystore for a master encryption key that is stored in an external source, such as a key management service. Use keystores to encrypt, authenticate, and serve content over HTTPS. Master keys can encrypt data that is stored temporarily, for example, cached requestor IDs, or data that is persisted, such as data in a database.
- Creating a data page for a master key from a custom source
Encrypt system data using an encryption key that is sourced from a Custom Key management service (KMS) that is accessed from a data page. To configure a keystore for a master key by using a data page reference, create the data page, and then use the data page to retrieve a master key from an external source.
- Creating a data page activity for a master key from a custom source
Encrypt system data using an encryption key that is sourced from a Custom Key management service (KMS) that is accessed from a data page. To configure a keystore for a master key by using a data page reference, create the data page, and then use the data page to retrieve a master key from an external source.
Previous topic Encrypting application data by using a custom key management service Next topic Configuring a keystore for a master key from a custom source