Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      

Potential problems with keystores when using AWS KMS

Updated on March 15, 2022

You can integrate Pega Platform with your private Amazon Web Services Key Management Service (AWS KMS) account to manage the keys that encrypt and decrypt BLOBs and property values. Some problems can occur but they can be mitigated or prevented with the proper configuration.

When integrating Pega Platform with your private AWS KMS, you can create, delete, and control the keys that are used to encrypt your data. By using AWS KMS, you do not need to implement a site-specific cipher to encrypt your data.

When you use AWS KMS, the following problems can occur:

  • New Keystore instance is required for key changes
  • Unavailability of the customer master key in some situations
  • Switching between cipher types can result in data loss

New Keystore instance required for key changes

If a customer master key (CMK) in the keystore is compromised and you want to change it, create a new Keystore instance, and then reference it on the Data Encryption landing page. When you update the Data Encryption landing page, the following changes happen:

  • A new customer data key (CDK) is generated for new encryption requests.
  • The previous CDKs are encrypted under the new CMK in the new keystore, which you can use to decrypt previously encrypted data.

Unavailability of the customer master key

If the CMK is disabled, deleted, or pending deletion (the deletion process can take from 7 to 30 days), the key is not available. Depending on the reason why the CMK is not available, you can do one of the following solutions:

  • If the customer master key (CMK) is disabled, reenable it on your AWS account.
  • If the key has a pending deletion status, cancel the deletion request, and enable the key.
  • Create a Keystore rule form with active CMKs. Update the Data Encryption landing page with the new keystore name. This action initiates a request to reencrypt the data by using a different master key.

Switching between cipher types

Do not switch between cipher types because you can lose previously encrypted data.

Caution: If you switch between cipher types and delete the AWS KMS encryption keys, or if a custom cipher class becomes unavailable, you cannot decrypt and reencrypt all your previously encrypted data. For information about how to safely reencrypt data, contact Global Customer Support.

  • Previous topic Configuring an Amazon Web Services authentication profile
  • Next topic Configuring a Microsoft Azure authentication profile

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us