My client will implement property-level encryption using custom key management service. I believe this is covered by 'application data encryption' (not 'system data encryption').

We looked on this page for help: https://community.pega.com/sites/default/files/help_v84/procomhelpmain.htm#security/data-encryption/custom-kms-app-data-tsk.htm

Here it says: 'The master key in the custom KMS must be a 128-bit AES key'. It also says: 'enter a code snippet similar to the example shown in step 2 of the sample activity pzSampleGetCustomMasterKey'.

We looked at this activity and in step 2 it needs to access remote services to (i) decrypt the ecdk, and (ii) encrypt the cdk (using a remotely managed master key).

Since this activity sends the cdk for remote encryption (and sends ecdk for remote decryption), Pega doesn't touch the master key at all, so does it really matter what type of master key is used?

If the answer to this is yes: why is this?

BTW client security team would like to use AES 256 because it is more secure than 128-bit.