Hi Pega,

We are exploring different ways in Pega Platform 8.7.4 to store some sensitive information as encrypted strings. Could you please answer the following

1. We see that standard way to do is to use the Data Encryption landing page. I reckon that pega uses customer master key (CMK) (managed out side pega) to encrypt the customer data keys (CDK) and CDK is used to encrypt/decrypt data. The CDKs are generated by pega and the CDKs can rotate automatically or manually. How is the data encrypted by CDK1 is decrypted after the CDK is rotated and a new key CDK2 is used to encrypt/decrypt data? Does the platform cipher knows which CDK to use and takes care of that somehow? Or we have to do something during implementation?

2. How should a java keystore should be setup if we use a keystore for CMK. What are the exact content (names) pega looks inside the keystore?

3.  We see that there is a public interface IPRCrypto and it has some methods which seemed of interest but there isnt much info in the javadoc. 

    1. encrypt()  : How the encryption key managed for this method to work? What about the concept of CMK/CDK?

    2.  encryptUsingKeyStore() : It says it uses the keystore metioned at security landing page. Is the same thats chosen for application encryption on Data Encryption landing page? Or Something else?  How does the concept of CMK and CDK work with this method?