Implementing BLOB and Property Encryption

MohamedMowafy · January 23, 2021, 2:16pm

If you want to encrypt the BLOB and properties, either in a new or an existing application; the attached implementation guide will help you step by step. The document also includes a deployment plan to make sure the encryption is applied correctly in other environments.

@MITTS

Contents:

General
1. Pre-Project Considerations
Setup
1. Step 1: Configure KeyStore
2. Step 2: Activate KeyStore
Encryption of BLOB
1. Removal of class instances
2. Encrypt BLOB
Encryption of exposed properties
1. Access Control Policy
2. Column Length
Encryption in Exposed Properties – Issues and Design Patterns
1. Section Rules – Visibility conditions in expressions
2. Validation Rules
3. Data Transforms/Activities
4. Full Text Search
5. Reporting
BIX
Deployment

Encryption - BLOB and exposed properties.pdf (788 KB)

Mr.Pisupati · January 25, 2021, 9:53pm

@mowam - Good post on encryption of BLOB data. But I am unable to visualize the usecase in this context. Also, why don’t we use the password option for all the properties inside the BLOB and this is also a kind of encryption? Pls help me to understand on password Vs this encrypting option.

MohamedMowafy · April 20, 2021, 9:07am

@Ravi Kumar Pisupati as you know in Pega you can do the same thing in several ways. Encrypting the BLOB has these advantages:

Will encrypt all the properties for you, so its quicker to implement,
If you later on add new properties to your class; they will be encrypted by default.

I hope this helps.

lokw9603 · May 3, 2021, 3:34pm

@MohamedMowafy

Hi, can we use any type keystore for Platform cipher? I’ve created a Java keystore, but it doesn’t show on the keystore field, seems it only support Amazon KMS if we want to use Platform cipher?

MohamedMowafy · May 5, 2021, 8:16am

@lokw9603

Yes, Pega supports keystore from custom sources, please refer to this documentation:

If this still doesn’t work, I would recommend to raise a ticket with Pega support.

Please update this post once you get a resolution; in case others have the same issue.

lokw9603 · May 18, 2021, 1:51pm

@MohamedMowafy

Thanks for the reply.

In your document, it is mentioned, the data instances must be deleted from the system, can we not deleted them and use encryptPropertyvalue to encrypt the BLOB.

Also for existing work objects that has exposed property prior to encryption being turn on, do we use encryptPropertyValue to encrypt them? Thanks.

lokw9603 · May 26, 2021, 7:03pm

@MohamedMowafy

created a keystore and try to use it in Data Encryption settings. Got error "robotic_keystore is not of type Amazon Key Management service.

Salil · May 20, 2021, 8:43pm

@lokw9603

Instances need to be deleted as class level BLOB encryption check box only gets enabled if there are no instances in the class.

Above is what is recommended OOTB and supported for BLOB from what we are aware of

Again Access control policy is the recommended way forward. If you follow approach 1 then when you save a new record then any exposed property will be governed by access control policy. Alternatively for already created work objects you can try creating an access control policy for the exposed property and try and save the BLOB again and see if the exposed property gets encrypted or not.

lokw9603 · May 26, 2021, 7:15pm

@Salil

deleted all instances, created the access control policy for the exposed column. But the varchar column still can be viewed in plain text; i.e. it is not encrypted. I checked the systemout.log file, seems the CustomCipher class is called; saw the “encrypting” and “decrypting” output. Any advise on what could be wrong? How can i check super.encrypt is called?

thanks.

here is the CustomCipher.java

package com.fepoc;

import com.pega.pegarules.exec.internal.util.crypto.PRCipherBase;

public class CustomCipher extends com.pega.pegarules.exec.internal.util.crypto.PRCipherBase {

private static final byte a = {

(byte)0x9a, (byte)0x86, (byte)0x5b, (byte)0xe1, (byte)0x64, (byte)0xf7,

(byte)0x69, (byte)0xd4, (byte)0x00, (byte)0x96, (byte)0x04, (byte)0x68,

(byte)0xff, (byte)0xd1, (byte)0x8e, (byte)0xed,

};

private static final byte b = null;

private static final String c = “************”;

public CustomCipher() {

init(c, a, b);

}

public byte encrypt(byte aInput) {

System.out.println(“encrypting”);

return super.encrypt(aInput);

}

public byte decrypt(byte aInput) {

System.out.println(“decrypting”);

return super.decrypt(aInput);

}

Conversation		Replies	Views
When enabled Application Data Encryption, Is it possible to disable BLOB Encryption enabled on a specific class? General security , data-management , 8-8-3	1	112	March 7, 2024
Property Encryption General senior-system-architect , java-and-activities , other-industry , pega-common-application	2	386	February 11, 2025
Database encryption General security , 8-4-1	0	2057	August 8, 2021
Encrypt data using Attribute-Based Access Control (ABAC) Knowledge Share account-executive , consulting-solution-executive , pega-delivery-leader , sales-consultant , sales-manager , senior-system-architect , business-architect , solutions-consultant , solutions-consulting-manager , solutions-engineer , system-architect , lead-system-architect , experience-designer , citizen-developer , team-lead , ui-solutions-developer , low-code-app-development , reporting , security , system-administration , case-management , cloud-services , data-integration , devops , project-delivery , enterprise-application-development , data-management , data-model , financial-services , manufacturing , government , insurance , cross-industry , other-industry , consumer-services , communications-and-media , healthcare-and-life-sciences , all-products , pega-infinity , system-cloud-ops-administrator , dev-designer-studio	14	2262	January 13, 2026
Application data encryption Risk Pega-as-a-Service security , cloud-services	1	84	July 19, 2024

Implementing BLOB and Property Encryption

Related topics