Close popover

Table of Contents

Encrypting data


To make your data more secure, you can select the type of encryption to use in your application to encrypt and decrypt passwords, properties, and BLOBs.

Access the Data Encryption tab by clicking Configure System Settings Data Encryption .

The Data Encryption tab is visible to operators who have the pxCanManageDataEncryption privilege in their access roles. This privilege is part of the PegaRULES:SecurityAdministrator role.

The following options are available:

Application data encryption (exposed by default)
You can change the encryption type for your application at any time by switching between the platform cipher and a custom cipher.
  • Platform cipher – The platform cipher uses the AES256-CBC with PKCS7 Padding cryptographic algorithm to encrypt and decrypt sensitive case data in your application. You need to use your own Customer Master Key (CMK), managed by your external key management service (KMS). The keys stored in AWS KMS support time-based and on-demand data key rotations. You do not need to create any custom cipher code for this encryption option.

    When changing the KMS keystore, you must activate the new keystore before you delete or disable the active Customer Master Key.
  • Forced data key rotation – You can rotate the internal encryption key at any time. This is typically done if the Customer Data Key in the platform cipher has been compromised The key can be rotated regardless of the configured key rotation period in the keystore data instance.
  • Custom cipher – The Custom cipher is used when the platform cipher does not suit your company’s needs. To use this encryption type in your application, you need to create your own custom encryption cipher. For more information, see Creating a custom cipher in Pega Platform.

    You can switch between the platform cipher and a custom cipher to change the encryption type for your application at any time.

    When you switch between cipher types, do not delete the original custom cipher or encryption keys. Deleting the previous custom cipher or encryption keys will make Pega Platform unable to decrypt previously encrypted data.

After you configure and activate the cipher, you specify the classes and properties to encrypt. For more information, see Encrypting the storage stream (BLOB), and Creating an access control policy for the PropertyEncrypt action.

Application master key usage history
You can see read only data based on the application data encryption settings, which shows activation and rotation history.
System data encryption (exposed by default)
Allows you to tell Pega what to use or who is providing the master for system data encryption. The only data that is encrypted is the session cookie. There are two masterkey providers:
  • Pega Platform – Pega will generate the key for you.
  • Keystore – You can provide your own key by specifying a key and selecting a keystore instance.
Master key usage history
You can see read only data based on the system data encryption settings, which shows the activation and regeneration history.

Do not delete data from the pr_data_admin_sec* tables. Doing so might result in loss of encrypted data.

For more information about encryption, see Encryption in Pega Platform.

  • Configuring the platform cipher

    Use the platform cipher to encrypt and decrypt sensitive data in your application without the need to create and code your own custom cipher. By using the platform cipher, you do not need to share knowledge about sensitive data in your application with Pega staff, because their assistance is not required to install a cipher.

  • Configuring a custom cipher

    Although Pega Platform has an integrated platform cipher, you can implement a custom cipher to address policies that are specific to your company. You can use your own custom cipher in Pega Platform as a data encryption type.

  • Configuring an Amazon Key Management Service (KMS) keystore

    To configure a keystore, you can reference the encryption key that is stored in the Amazon Web Services Key Management Service (AWS KMS).

  • Encrypting the storage stream (BLOB)

    In Pega Platform, you can encrypt the storage stream (BLOB) by using a platform or custom cipher.

  • Enabling and disabling encryption for communication among search nodes

    For on-premises deployments, enable encryption for communication among search nodes to prevent unauthorized access to the data that is transported across search nodes. By default, search is encrypted for cloud services and applications.

  • Implementing and using the TextEncrypted property type

    Single Value, Value List, and Value Group properties can be encrypted by using the Password and TextEncrypted encryption types. Both types produce encrypted or hashed values for the property value within the PegaRULES database, and both types offer some degree of security within the user interface. Another encryption type, PropertyEncrypt, can be used for all properties when your implementation uses attribute-based access control.

  • Creating an access control policy

    In the access control policy rule form, you define a policy that grants access to an object by evaluating selected conditions. For each rule, you can set one level of access, such as read, update, or delete, and the condition that defines whether the access is granted.

  • Enabling password encryption for BIX command-line extractions

    Enable security for the database username and password by implementing a Java Cryptography Extension (JCE) keyring encryption. To do so, create a pegarules.keyring file and append the encryption information to your command-line extraction Java method.

Suggest Edit

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.