Encryption ciphers

You can select the type of encryption to use in your application to encrypt and decrypt passwords, properties, and BLOBs to make your data more secure.

Note: The Data Encryption tab is visible to operators who have the pxCanManageDataEncryption privilege in their access roles. This privilege is part of the PegaRULES:SecurityAdministrator role.

Access the Data Encryption tab by clicking Configure > System > Settings > Data Encryption. On this tab you select the encryption type to use in your application to encrypt and decrypt passwords, properties and BLOBs. The following options are available:

  • Platform cipher – The platform cipher uses the AES256-CBC with PKCS7 Padding cryptographic algorithm to encrypt and decrypt sensitive case data in your application. You need to use your own Customer Master Key (CMK), managed by your external key management service (KMS). The keys stored in AWS KMS support time-based and on-demand data key rotations. You do not need to create any custom cipher code for this encryption option.
    CAUTION:
    • When changing the KMS keystore, you must activate the new keystore before you delete or disable the currently active Customer Master Key.
    • Do not delete data from the pr_data_admin_sec* tables. Doing so might result in loss of encrypted data.
  • Custom cipher – If the platform cipher does not suit your company needs, you can choose to use a custom cipher. To use this encryption type in your application, you need to create your own custom encryption cipher. For more information, see the Pega Community article Creating a custom cipher in Pega Platform.

    You can switch between the platform cipher and a custom cipher to change the encryption type for your application at any time.

    CAUTION:
    Pega Platform uses the original custom cipher or KMS encryption keys to decrypt previously encrypted data. When you switch between cipher types, do not delete the original custom cipher or encryption keys. If you delete the previous custom cipher or encryption keys, Pega Platform will not be able to decrypt previously encrypted data.

After you configure and activate the cipher, you specify the classes and properties to encrypt. For more information, see Encrypting the storage stream (BLOB), and Creating an access control policy for the PropertyEncrypt action.

For more information about encryption, see the Pega Community article Encryption in Pega Platform.