Configuring a Google Cloud KMS keystore

Configure a keystore by referencing an encryption key that is stored in Google Cloud key management service (KMS).

Before you begin: You must create a keystore data instance in Pega Platform with Keystore location equal to Google Cloud KMS before you can configure the keystore.
  1. If you have not yet defined your cryptographic key in Google Cloud KMS, create a Google project, a service account, and a keyring. For details, see your Google Cloud KMS documentation and the Pega Community article Configuring a Google Cloud KMS keystore.
    1. Create a service account with a role equal to Cloud KMS CryptoKey Encrypter/Decrypter, and download the account credentials as a .json file.
    2. Create a keyring and a symmetric key, and copy the key ID in Google resource name format.
  2. Open a keystore from the navigation panel by clicking Records > Security > Keystore and selecting a Google Cloud KMS keystore from the instance list.
  3. Click Upload file, and select the service account credentials file that you downloaded in step 1a.
  4. In the Customer master key ID field, enter the key in Google resource name format that you copied in step 1b.
  5. In the Customer data key rotation in days field, enter the number of days after which the customer data key (CDK) rotates.
    Note: The recommended (default) value is 90 days. You can set the rotation to any time between 30 and 365 days.
  6. Click Test connectivity to verify that all fields are filled out correctly and that Pega Platform can connect to Google Cloud KMS and find your key.
  7. Click Save.