Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      

Key management system for application data encryption

Updated on March 15, 2022

Create a keystore that references keys other key management services, such as Microsoft Azure Key Vault, HashiCorp Vault, and Google Cloud KMS, and Amazon KMS through the use of a data page. By supporting additional key management services, Pega Platform offers you increased flexibility when defining keys that are used for encryption of application and internal system data.

Build in encryption at every layer as best you can. Your encryption strategy is only as good as your ability to protect encryption keys. Encryption keys are the secret that has to be protected.

  • Creating a keystore for application data encryption

    Create a keystore instance for your keystore file, which contains the keys and certificates that are used, for example, to support Web Services Security and outbound email security.

  • Encrypting system data by using a custom key management service

    Encrypt system data using an encryption key that is sourced from a Custom Key management service (KMS) that is accessed from a data page. For system data encryption, you can only use the Custom Key management service.

  • Keystores

    A keystore is a file that contains keys and certificates that you use for encryption, authentication, and serving content over HTTPS. In Pega Platform, you create a keystore data instance that points to a keystore file.

  • Changing the default keystore caching settings

    You can change the values of the KeyStoreCacheExpireTime and KeyStoreCacheSize settings to control how often the keystore cache is refreshed and to restrict cache size. The lower the values, the less memory is used, but processing power is reduced.

  • Creating a keystore instance for an external key management service

    You can encrypt application and system data in Pega Platform™ by using either the platform cipher or a cipher that is stored within an external key management service (KMS). Use an external KMS to control the ownership, creation, and rotation of your master key.

  • Importing an X.509 certificate

    You can import X.509 certificates that are defined in keystore instances of type JKS or PKCS12. They become active without your having to restart the server.

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us