Skip to main content

Discussion

 Mohamed Mowafy (MohamedMowafy)
PEGA
Senior System Architect
Pegasystems Inc.
GB
MohamedMowafy Member since 2019 2 posts
PEGA
Posted: Jan 23, 2021
Last activity: May 26, 2021
Posted: 23 Jan 2021 9:16 EST
Last activity: 26 May 2021 15:15 EDT

Implementing BLOB and Property Encryption

If you want to encrypt the BLOB and properties, either in a new or an existing application; the attached implementation guide will help you step by step. The document also includes a deployment plan to make sure the encryption is applied correctly in other environments. 

@MITTS 

Contents:

  1. General    
    1.     Pre-Project Considerations    
  2. Setup    
    1.     Step 1: Configure KeyStore    
    2.     Step 2: Activate KeyStore    
  3. Encryption of BLOB    
    1.     Removal of class instances    
    2.     Encrypt BLOB    
  4. Encryption of exposed properties    
    1.     Access Control Policy    
    2.     Column Length    
  5. Encryption in Exposed Properties – Issues and Design Patterns    
    1.     Section Rules – Visibility conditions in expressions    
    2.     Validation Rules    
    3.     Data Transforms/Activities    
    4.     Full Text Search    
    5.     Reporting    
  6. BIX    
  7. Deployment    

 

***Edited by Moderator Marissa to update Content Type from Idea to Discussion; added Developer Knowledge Share tag***
To see attachments, please log in.
Pega Customer Service 8.3
Pega Platform 8.3.1
Security
Cross-Industry
Lead System Architect
Senior System Architect
Developer Knowledge Share

  • Reply
  • Ryan Kehoe Ravi Kumar Pisupati Guojun Tao Shuvadeep Das Harivishnu Srikantham
Posted: 4 years ago
Updated: 4 years ago
Posted: 25 Jan 2021 16:53 EST
Updated: 25 Jan 2021 21:53 EST
Ravi Kumar Pisupati (Mr.Pisupati)
CVS Health
Lead Solutions Architect
CVS Health
US

@mowam - Good post on encryption of BLOB data. But I am unable to visualize the usecase in this context. Also, why don't we use the password option for all the properties inside the BLOB and this is also a kind of encryption? Pls help me to understand on password Vs this encrypting option.

 

To see attachments, please log in.
Posted: 4 years ago
Updated: 4 years ago
Posted: 20 Apr 2021 5:07 EDT
Updated: 20 Apr 2021 5:08 EDT
Mohamed Mowafy (MohamedMowafy)
PEGA
Senior System Architect
Pegasystems Inc.
GB

@Ravi Kumar Pisupati  as you know in Pega you can do the same thing in several ways. Encrypting the BLOB  has these advantages:

  • Will encrypt all the properties for you, so its quicker to implement,
  • If you later on add new properties to your class; they will be encrypted by default. 

I hope this helps.

To see attachments, please log in.
Posted: 4 years ago
Posted: 5 May 2021 4:16 EDT
Mohamed Mowafy (MohamedMowafy)
PEGA
Senior System Architect
Pegasystems Inc.
GB

@lokw9603

Yes, Pega supports keystore from custom sources, please refer to this documentation:

If this still doesn't work, I would recommend to raise a ticket with Pega support.

Please update this post once you get a resolution; in case others have the same issue.

To see attachments, please log in.
Posted: 4 years ago
Posted: 18 May 2021 9:51 EDT
chi lok wong (lokw9603)
CareFirst Inc
chi lok wong
CareFirst Inc
US

@MohamedMowafy

Thanks for the reply. 

In your document, it is mentioned, the data instances must be deleted from the system, can we not deleted them and use encryptPropertyvalue to encrypt the BLOB.

Also for existing work objects that has exposed property prior to encryption being turn on, do we use encryptPropertyValue to encrypt them?   Thanks.

To see attachments, please log in.
Posted: 4 years ago
Posted: 20 May 2021 16:43 EDT
Salil Mittal (Salil)
PEGA
Principal System Architect
Pegasystems Inc.
IN

@lokw9603

1) Instances need to be deleted as class level BLOB encryption check box only gets enabled if there are no instances in the class.

Above is what is recommended OOTB and supported for BLOB from what we are aware of 

2) Again Access control policy is the recommended way forward. If you follow approach 1 then when you save a new record then any exposed property will be governed by access control policy. Alternatively for already created work objects you can try creating an access control policy for the exposed property and try and save the BLOB again and see if the exposed property gets encrypted or not. 

To see attachments, please log in.
Posted: 4 years ago
Posted: 26 May 2021 15:15 EDT
chi lok wong (lokw9603)
CareFirst Inc
chi lok wong
CareFirst Inc
US

@Salil

deleted all instances, created the access control policy for the exposed column.   But the varchar column still can be viewed in plain text; i.e. it is not encrypted.   I checked the systemout.log file, seems the CustomCipher class is called; saw the "encrypting" and "decrypting" output.   Any advise on what could be wrong?   How can i check super.encrypt is called?

 

thanks.

 

here is the CustomCipher.java

package com.fepoc;

import com.pega.pegarules.exec.internal.util.crypto.PRCipherBase;

public class CustomCipher extends com.pega.pegarules.exec.internal.util.crypto.PRCipherBase {

private static final byte[] a = {

(byte)0x9a, (byte)0x86, (byte)0x5b, (byte)0xe1, (byte)0x64, (byte)0xf7,

(byte)0x69, (byte)0xd4, (byte)0x00, (byte)0x96, (byte)0x04, (byte)0x68,

(byte)0xff, (byte)0xd1, (byte)0x8e, (byte)0xed,

};

private static final byte[] b = null;

private static final String c = "************";

public CustomCipher() {

init(c, a, b);

}

public byte[] encrypt(byte[] aInput) {

System.out.println("encrypting");

return super.encrypt(aInput);

}

 

public byte[] decrypt(byte[] aInput) {

System.out.println("decrypting");

return super.decrypt(aInput);

}

}

To see attachments, please log in.

Related content:

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice