Types of ciphers

On the Data Encryption tab, you select the type of encryption to use in your application to encrypt and decrypt passwords, properties, and BLOBs.

Note: The Data Encryption tab is visible to operators who have the pxCanManageDataEncryption privilege in their access roles. This privilege is part of the PegaRULES:SecurityAdministrator role.

Access this tab by clicking Configure > System > Settings > Data Encryption.

On this tab you select the encryption type to use in your application to encrypt and decrypt passwords, properties and BLOBs. The following options are available:

  • Platform cipher – The platform cipher uses the AES-256 cryptographic algorithm to encrypt and decrypt sensitive case data in your application. You need to use your own Customer Master Key (CMK), managed by your private Amazon Web Services Key Management Service (AWS KMS). The keys stored in AWS KMS support time-based and on-demand data key rotations. You do not need to create any custom cipher code for this encryption option. One platform cipher can be used between multiple tenants.
    When changing the AWS KMS keystore, you must activate the new keystore before you delete or disable the currently active Customer Master Key.
  • Custom cipher – If the platform cipher does not suit your company needs, you can choose to use a custom cipher. To use this encryption type in your application, you need to create your own custom encryption cipher. For more information, see the Pega Community article Creating a custom cipher in Pega Platform.

You can switch between the platform cipher and a custom cipher to change the encryption type for your application at any time. However, depending on what type of cipher you have chosen, Pega Platform uses the custom cipher settings or AWS KMS encryption keys to decrypt previously encrypted data. When you switch between cipher types, do not delete the custom cipher settings or the AWS KMS encryption keys.

If you switch from the platform cipher to a custom cipher and delete the AWS KMS encryption keys, you will not be able to encrypt all your previously encrypted data. For information about how to change from the platform cipher to a custom cipher, contact Global Customer Support.