PMG Documentation

# Data Protection

The PMG platform provides methods to protect data, via encryption, retention rules, backup and recovery procedures, access rights and other procedures.

# Encryption

Data encryption is available within the application as described below.

# PMG Key Management Service (KMS)

The PMG KMS provides for encrypting and decrypting data via one or more keys maintained within a separate KMS.

PMG KMS provides its own unique key that is generated automatically at time of provisioning. The key is generated and stored in the environment and is not transmitted or stored outside of the environment. If new or updated servers are provisioned to the environment, new servers request the master password from the existing servers. The machine name and timestamp are logged to the KMS Events table. A hash of the master password is stored in the servers’ registry. To encrypt or decrypt, the local server registry hash needs to match the database hash.

Management of the PMG KMS for a given instance is performed with the command line utility, 'pmgspehelper.exe'. Command options for this utility are below. Note: when the KMS password is changed, all running PMG application instances are notified of the change in order to update their own access.

Change Password: /kmsu
Reinitialize: /kmsri
Export: /kmsex /output:<FileName> [/pwd:<password>]
Import: /kmsim /input:<FileName> [/pwd:<password>] [/force]
Backup: /kmsbu [/pwd:<password>] [/keep:n] (/keep = keep this many backups, default = 100)
List Backups: /kmsls
Restore: /kmsrs [/pwd:<password>] [/force] [/item:n] (/item = number to import, else latest is imported)

# PMG KMS Key Rotation

Key rotation is performed by the command line tool, pmgspehelper.exe above, as well as from the Administration, Utilities page, via "Change KMS Master Password"

# Customer Managed Key (CMK)

The PMG Platform supports "bring your own key" features with CMK features integrated with Amazon Web Services(AWS) KMS. Administration of the AWS KMS access credentials for the PMG Platform is provided from the Administration menu, CMK. The customer managed keys are retrieved from AWS at the PMG application startup time and kept in memory only within a PMG application server for the purpose of encrypting and decrypting data for storage or transmission.

The CMK administration screen has the following values.

Access Key - The AWS Access Key to use for the AWS CMK

Secret Key - The AWS Secret Key to use for the AWS CMK

Key Id - The AWS CMK Key Id to use for encryption and decryption

Region - The AWS region for the CMK

The following are available once credentials are configured.

Test - Validate the credentials with AWS

Rotate Data Key - rotate the encryption key manually

Data Keys - List keys from the AWS CMK

PMG Relay Framework