Potential problems with keystores when using AWS KMS
You can integrate Pega Platform with your private Amazon Web Services Key Management Service (AWS KMS) account to manage the keys that encrypt and decrypt BLOBs and property values. Some problems can occur but they can be mitigated or prevented with the proper configuration.
When integrating Pega Platform with your private AWS KMS, you can create, delete, and control the keys that are used to encrypt your data. By using AWS KMS, you do not need to implement a site-specific cipher to encrypt your data.
When you use AWS KMS, the following problems can occur:
- New Keystore instance is required for key changes
- Unavailability of the customer master key in some situations
- Switching between cipher types can result in data loss
New Keystore instance required for key changes
If a customer master key (CMK) in the keystore is compromised and you want to change it, create a new Keystore instance, and then reference it on the Data Encryption landing page. When you update the Data Encryption landing page, the following changes happen:
- A new customer data key (CDK) is generated for new encryption requests.
- The previous CDKs are encrypted under the new CMK in the new keystore, which you can use to decrypt previously encrypted data.
Unavailability of the customer master key
If the CMK is disabled, deleted, or pending deletion (the deletion process can take from 7 to 30 days), the key is not available. Depending on the reason why the CMK is not available, you can do one of the following solutions:
- If the customer master key (CMK) is disabled, reenable it on your AWS account.
- If the key has a pending deletion status, cancel the deletion request, and enable the key.
- Create a Keystore rule form with active CMKs. Update the Data Encryption landing page with the new keystore name. This action initiates a request to reencrypt the data by using a different master key.
Switching between cipher types
Do not switch between cipher types because you can lose previously encrypted
Previous topic Configuring an Amazon Web Services authentication profile Next topic Configuring a Microsoft Azure authentication profile