Create a keystore that references keys other key management services, such as Microsoft Azure Key Vault, HashiCorp Vault, and Google Cloud KMS, and Amazon KMS through the use of a data page. By supporting additional key management services, Pega Platform offers you increased flexibility when defining keys that are used for encryption of application and internal system data.
Build in encryption at every layer as best you can. Your encryption strategy is only as good as your ability to protect encryption keys. Encryption keys are the secret that has to be protected.
- Creating a keystore for application data encryption
Create a keystore instance for your keystore file, which contains the keys and certificates that are used, for example, to support Web Services Security and outbound email security.
- Encrypting system data by using a custom key management service
Encrypt system data using an encryption key that is sourced from a Custom Key management service (KMS) that is accessed from a data page. For system data encryption, you can only use the Custom Key management service.
A keystore is a file that contains keys and certificates that you use for encryption, authentication, and serving content over HTTPS. In Pega Platform, you create a keystore data instance that points to a keystore file.
- Changing the default keystore caching settings
You can change the values of the KeyStoreCacheExpireTime and KeyStoreCacheSize settings to control how often the keystore cache is refreshed and to restrict cache size. The lower the values, the less memory is used, but processing power is reduced.
- Creating a keystore instance for an external key management service
You can encrypt application and system data in Pega Platform™ by using either the platform cipher or a cipher that is stored within an external key management service (KMS). Use an external KMS to control the ownership, creation, and rotation of your master key.
- Importing an X.509 certificate
You can import X.509 certificates that are defined in keystore instances of type JKS or PKCS12. They become active without your having to restart the server.