Can someone help me with the below questions related to encryption?
How the PEGA platform generates the master key?
Where the PEGA Platform generated master key gets stored?
Who will have access to it?
How the master key is rotated? how long the master key is valid once the platform generates it?
When the PEGA is not enabled with BYOK feature say (AWS KMS/ Azure Key vault), as per the help it says the secrets of keystore are encrypted using the platform generated master key, so in-order to configure the BYOK I need to create keystore initially where the keystore secrets are encrypted using the platform generated key. How can I encrypt this key store with BYOK? Will simply re-saving the keystore works?
Below explanation for Application Data encryption (which protects sensitive case management data. )
We have two types of keys: 1) Customer master key (CMK) 2) Customer data key (CDK). The customer data key is internal to Pega so it can generate and rotate. Internal CDKs are protected by CMKs. You can configure AWS master key or Google cloud (also Hashicorp)master key as CMK in Pega. CDK will be used to encrypt & decrypt Pega sensitive data.
Answers
You can use AWS , Google, or Hashicorp key as a master key.
Pega generates internal CDK by using Java’s SecureRandom algorithm.
As I mentioned above, you can use an external master key from a supported cloud provider.
CDK encrypted by using a configured master key and stored in the data base. We never store plaintext CDKs in Database.
To access cloud provider master key, you need to have access and secret keys.
Pega has full control of CDKs so it can rotate CDKs based configuration. Pega can’t rotate the master key.
You need to provide a master keyID, access key, and secret key in a Keystore. This Keystore will be used to configure encryption settings. BYOK is not applicable to this Keystore.
Please let me know if you need any further information.
The question is about PEGA platform internal Master key when the platform is not activated with the customer key.
For encryption - PEGA help says – “ Most other types of sensitive configuration data will be encrypted by using the BYOK feature if you configure it, otherwise these will be encrypted using the internal Pega Platform cipher and Pega Platform-generated master key, for example:
Authentication passwords for services, connectors, agents, and email.
Client secrets in keystores, authentication services, and authentication profiles.”