Question
Scotiabank
CA
Last activity: 6 Jul 2020 5:24 EDT
Difference between Application and System data encryption
We are using Pega 8.3.
Under System -> Settings -> Data Encryption, there are two options, "Application Data Encryption" and "System Data Encryption". What's the difference between the two? I tried to find it in the documentation provided, didn't find a proper answer.
We want to use 'Attribute Based Access Control' to encrypt some properties, so which Data Encryption configuration should we update?
Regards,
Sandeep
Pegasystems Inc.
US
By default, the platform applies certain encryptions standards while storing the data to DB. However to apply additional layers of encryption OR use customer encryption types, one can use Data Encryption options. System data like passwords use System Data Encryption & Application Data refers to the case data.
As you are requirement is about encryption some (individual) properties, you need to create an access control policy with PropertyEncrypt action.
Would recommend checking the below articles in detail.
https://community.pega.com/knowledgebase/articles/security/encryption-pega-platform
Let me know if that helps!
Scotiabank
CA
Thanks Harish for your response! but my query was different. Even before we use access control policy rule with PropertyEncrypt option, we need to define what type of encryption and which cipher and keys needs to be used. It needs to be defined under System -> Settings -> Data Encryption landing tab.
When I go there I see two options "Application Data Encryption" and "System Data Encryption", It is not clearly described in community help that which one is responsible for ABAC PropertyEncrypt option (My guess is "Application Data Encryption").
Under "Application Data Encryption" there are two options "Platform Cipher" and "Custom Cipher". In our case, client does not have any Cloud KMS solution (AWS, Azure, Hashicorp etc.), So I am planning to create my own Java KeyStore (JKS) and store the AES 128 bit secret key there. As per Pega documentation (https://community.pega.com/sites/default/files/help_v83/procomhelpmain.htm#security/data-encryption/custom-kms-app-data-tsk.htm) I need to create a Data Page and populate the key in CustomMasterKey object from KeyStoreUtils. I followed all the steps i.e. copying the code snippet (step 2) from OOTB activity "pzSampleGetCustomMasterKey" and updating masterkeys/CDK etc. but when I am trying to create the keystore rule (using the Data Page), it throws error in log file. There is not much detail in the error message printed in the log file and engine API documentation is not detailed for "CustomMasterKey" class.
Thanks Harish for your response! but my query was different. Even before we use access control policy rule with PropertyEncrypt option, we need to define what type of encryption and which cipher and keys needs to be used. It needs to be defined under System -> Settings -> Data Encryption landing tab.
When I go there I see two options "Application Data Encryption" and "System Data Encryption", It is not clearly described in community help that which one is responsible for ABAC PropertyEncrypt option (My guess is "Application Data Encryption").
Under "Application Data Encryption" there are two options "Platform Cipher" and "Custom Cipher". In our case, client does not have any Cloud KMS solution (AWS, Azure, Hashicorp etc.), So I am planning to create my own Java KeyStore (JKS) and store the AES 128 bit secret key there. As per Pega documentation (https://community.pega.com/sites/default/files/help_v83/procomhelpmain.htm#security/data-encryption/custom-kms-app-data-tsk.htm) I need to create a Data Page and populate the key in CustomMasterKey object from KeyStoreUtils. I followed all the steps i.e. copying the code snippet (step 2) from OOTB activity "pzSampleGetCustomMasterKey" and updating masterkeys/CDK etc. but when I am trying to create the keystore rule (using the Data Page), it throws error in log file. There is not much detail in the error message printed in the log file and engine API documentation is not detailed for "CustomMasterKey" class.
I am not sure whats wrong with the configuration. It might also be a bug on the platform, then I will open an SR for that.
Pegasystems Inc.
US
Yes, it has to be Application Data Encryption in your case.
If there is not much of detail in the log file, SR must be a good path to confirm what's wrong.
KCI
IN
Hi Sandeep,
Did you get the solution from Pega for your approach. Could you please share if so.