Skip to main content

Bring your own key encryption for Web Messaging

The Bring your own key (BYOK) encryption method for secure communication prevents the Digital Messaging Service from accessing chat message content exchanged between the end customer and your Pega Customer Service application. With BYOK encryption enabled for your Web Messaging connection, the data is encrypted on the system or device of the sender, and only the intended recipient (your Pega Customer Service™ application) can decrypt it.

The BYOK encryption process uses the Client key pair (Private and Public Client Key), Session key pair (Private and Public Session Key), and AES Message Key.

  • Client key pair: You are responsible for generating and installing the Private Client Key and the Public Client Key for your web messaging connection.
  • Session key pair: Web Messaging generates Public and Private keys for each chat session on the customer browser.
  • AES Message Key: The Digital Messaging Service encrypts all messages with individual AES-GCM message keys. The system then encrypts these keys with their respective public keys (Public Session Key for outbound and Public Client Key for inbound), and then attaches them to the payload.

The system encrypts context data and cookies on the Web Messaging widget before leaving the browser. Once encrypted with the Public Client Key, the system cannot decrypt customer messages on the Digital Messaging Service for conversation history retrieval during the chat session. For this reason, the system stores customer messages in the customer browser (local storage/indexed DB) for the duration of the chat session. 



This demonstration shows you how to implement Bring your own key (BYOK) encryption for web messaging connections.

U+ Bank wants to implement Bring your own key encryption for web messaging to secure their data so that a bad actor cannot decrypt customer messages, even if they somehow intercept or gain access to them.

To implement the business scenario, log in to Dev Studio as a Customer Service Administrator, and then navigate to the Connection tab of your Digital Messaging channel interface.

Now, expand the Advanced section, and then populate the Private key and Public key fields with your key values within begin and end tags.

After you add the keys, open the Digital Messaging Manager portal by clicking the Manage connections, and then create a new Web Messaging connection.

You receive a prompt to choose which encryption method to enable: Standard encryption or BYOK encryption. Select BYOK encryption so that all messages are encrypted with your provided keys.

Note: This selection screen is displayed only if you have completed the first step to install your private and public keys in your channel interface.

You cannot switch between Standard encryption and BYOK encryption for an existing Web Messaging connection. To make the change, delete the connection in your Digital Messaging Manager, and then create a new one.

You have reached the end of this video. You have learned:

  • How to implement Bring your own key (BYOK) encryption for web messaging connections to secure data.

This Topic is available in the following Modules:

If you are having problems with your training, please review the Pega Academy Support FAQs.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Academy has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice