---
title: Configuring PingAccess to use Amazon Key Management Services
description: During initial startup, PingAccess automatically generates a randomized master key, which by default is not encrypted. If you are running in Amazon Web Services (AWS), you can configure PingAccess to use Amazon Key Management Services (KMS) to encrypt the master key.
component: pingaccess
version: 9.0
page_id: pingaccess:configuring_and_customizing_pingaccess:pa_config_amazon_kms
canonical_url: https://docs.pingidentity.com/pingaccess/9.0/configuring_and_customizing_pingaccess/pa_config_amazon_kms.html
revdate: February 6, 2023
section_ids:
  before-you-begin: Before you begin
  about-this-task: About this task
  steps: Steps
  example: Example:
---

# Configuring PingAccess to use Amazon Key Management Services

During initial startup, PingAccess automatically generates a randomized master key, which by default is not encrypted. If you are running in Amazon Web Services (AWS) *(tooltip: \<div class="paragraph">
\<p>An Amazon subsidiary providing cloud computing platforms.\</p>
\</div>)*, you can configure PingAccess to use Amazon Key Management Services (KMS) to encrypt the master key.

## Before you begin

* Make sure that you have an active connection to AWS.

* Use AWS KMS to generate a key to use for the PingAccess master key encryption.

|   |                                                                                                                                                                                                                                       |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | For more information about managing access rights to your keys using key policies or AWS Identity and Access Management (IAM), see [AWS Key Management Service](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html). |

## About this task

To configure the encryption of the PingAccess master key, modify the `pa.jwk.properties` file found in `<PA_HOME>/conf`.

## Steps

1. Stop PingAccess.

2. In a text editor, open `<PA_HOME>/conf/pa.jwk.properties`.

3. Locate the `pa.hostkey.masterKeyEncryptor` property .

4. Enable master key encryption.

   1. Change `com.pingidentity.pa.crypto.NoOpMasterKeyEncryptor` to the AWS KMS master key encryptor class name `com.pingidentity.pingcommons.aws.key.AwsKmsMasterKeyEncryptor`.

   2. Locate the ID for the key that you generated using AWS KMS.

   3. If this is not the first time starting PingAccess, prefix the key ID with `"ENCRYPT:"`.

      ### Example:

      After making changes, the properties file should look similar to the following:

      ```
      pa.hostkey.masterKeyEncryptor=com.pingidentity.pingcommons.aws.key.AwsKmsMasterKeyEncryptor
      
pa.hostkey.keyId=ENCRYPT:d4e6adab-e20c-4339-ba76-e4cb1348713f
      ```

5. Save and close the updated `pa.jwk.properties` file.

6. Restart PingAccess.

   The PingAccess master file `pa.jwk` is encrypted using Amazon KMS.