We are in process of configuring the “Platform cipher” for Application data encryption using keystore location option as “Custom” ( “Source master key from other KMS using data page )

As per the documentation step# 1.c , steps#  from the OOTB activity “pzSampleGetCustomMasterKey” can be leverage.

However, the activity steps refers the Pega specific API for which documentation or enough description is not available, we would like to know below details:

1. We would like to understand, what are we trying to achieve by encrypting the value in case it is normal and decrypt if it is encrypted ? Since it is key and not the data.

As per the implementation of the OOTB activity “pzSampleGetCustomMasterKey”, execute below steps and load the master key.

-  if Customer data key is encrypted:

• Then decrypt the key and assign decrypted key to the CDK variable.
• Set null to the ECDK variable

 -  if Customer data key is not-encrypted:

• Then encrypt the key and assign encrypted value to the ECDK variable.
• Set null to the CDK variable

1. As per comment “decrypt the above ecdk at remote KMS and assign it to the cdk variable” What is the “Remote KMS” refers to with respect to key encryption and decryption? it is internal to Pega or we need to configure any remote KMS like Amazon etc. ? we are not intended to use any remote KMS that the reason we are using the keystore location option as “Custom” ( “Source master key from other KMS using data page ) .
2.  
3. Do we need to follow below steps, even if we want to use plane 16 bytes sting as the secrete key? At least for POC purpose.

Attached is the code from OOTB activity “pzSampleGetCustomMasterKey” for reference.

Regards,

Abhinay