Close popover
Rob McCallum (MCCAR1)
Sr. System Architect
MCCAR1 Member since 2009 26 posts
Posted: July 15, 2020
Last activity: July 29, 2020

Application data encryption using custom KMS: can we use 256-bit key?

My client will implement property-level encryption using custom key management service. I believe this is covered by 'application data encryption' (not 'system data encryption').

We looked on this page for help:

Here it says: 'The master key in the custom KMS must be a 128-bit AES key'. It also says: 'enter a code snippet similar to the example shown in step 2 of the sample activity pzSampleGetCustomMasterKey'.

We looked at this activity and in step 2 it needs to access remote services to (i) decrypt the ecdk, and (ii) encrypt the cdk (using a remotely managed master key).

Since this activity sends the cdk for remote encryption (and sends ecdk for remote decryption), Pega doesn't touch the master key at all, so does it really matter what type of master key is used?

If the answer to this is yes: why is this?

BTW client security team would like to use AES 256 because it is more secure than 128-bit.

Pega Platform 8.4.1 Security