Encrypting application data by using a custom key management service

You can encrypt application data by using an encryption key that is sourced from a custom key management service that is accessed from a data page. You source a key in this way when you use a key management service that is not one of the supported keystore platforms.

The master key in the custom KMS must be a 128-bit AES key.
  1. Create an activity that accesses the custom KMS, configures a CustomMasterKey object, and loads the master key into KeyStoreUtils.
    1. In the header of Dev Studio, click Create > Technical > Activity.
    2. In the Apply to (class) field, enter Data-Admin-Security-Keystore, and then click Create and open.
    3. In an activity step, enter Method equal to Java, and in the Java Source field, enter a code snippet similar to the example shown in step 2 of the sample activity pzSampleGetCustomMasterKey.
    4. Click Save.
  2. Create a data page that is loaded by the activity that you created in step 1.
    1. In the header of Dev Studio, click Create > Data Model > Data Page.
    2. In the Apply to (class) field, enter Data-Admin-Security-Keystore, and then click Create and open.
    3. In the Object type field, enter Data-Admin-Security-Keystore.
    4. In the Mode list, select Read-Only.
    5. In the Scope list, select Thread.
    6. In the Source list, select Activity.
    7. In the Activity name field, enter the name of the activity that you created in step 1.
    8. On the Parameters tab, select the Pass current parameter page check box.
    9. On the Load Management tab, in the Refresh strategy section, select the Reload once per interaction check box.
    10. Click Save.
  3. Create a keystore that is loaded from the data page that you created in step 2.
    1. In the header of Dev Studio, click Create > Security > Keystore.
    2. In the Keystore location field, press the Down arrow key, and under KEY MANAGEMENT SYSTEM (KMS) FOR APPLICATION DATA ENCRYPTION, select Custom – Source master key from other KMS using a data page.
    3. In the Source data page field, enter the name of the data page that you created in step 2.
    4. Click Save.
  4. Identify and activate the key for application data encryption.
    1. In the header of Dev Studio, click Configure > System > Settings > Data Encryption.
    2. In the Application data encryption section, in the Keystore field, enter the name of the keystore that you created in step 3.
    3. Click Activate.