---
title: Implementing a MasterKeyEncryptor using AWS KMS
description: During initial startup, PingFederate automatically generates a randomized master key, which by default is not encrypted. If you are running in Amazon Web Services (AWS), you can configure PingFederate to use Amazon Key Management Services (KMS) to encrypt the master key.
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:pf_implement_masterkey_encrypt_aws_kms
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_implement_masterkey_encrypt_aws_kms.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: March 6, 2023
section_ids:
  before-you-begin: Before you begin
  about-this-task: About this task
  steps: Steps
  result: Result
---

# Implementing a MasterKeyEncryptor using AWS KMS

During initial startup, PingFederate automatically generates a randomized master key, which by default is not encrypted. If you are running in Amazon Web Services (AWS), you can configure PingFederate to use Amazon Key Management Services (KMS) to encrypt the master key.

## Before you begin

* Make sure that you have an active connection to AWS.

* Use AWS KMS to generate a key to use for the PingFederate master key encryption.

* See [AWS Key Management Service](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html) in the AWS documentation for general information about how you can manage access rights to your keys using key policies or AWS Identity and Access Management (IAM).

## About this task

To configure the encryption of the PingFederate master key, modify two files: `service-points.conf` and `com.pingidentity.crypto.jwk.MasterKeySet.xml`.

## Steps

1. Stop PingFederate.

2. Open `<pf_install>/pingfederate/server/default/conf/service-points.conf` in a text editor.

3. Locate the `master.key.encryptor` property:

   ```
   master.key.encryptor=com.pingidentity.crypto.jwk.NoOpMasterKeyEncryptor
   ```

4. To enable master key encryption using AWS KMS, replace the lines shown in step 3 with the following lines.

   ```
   master.key.encryptor=com.pingidentity.pingcommons.aws.key.AwsKmsMasterKeyEncryptor
   ```

5. Save and close the file.

6. Open `<pf_install>/pingfederate/server/default/data/config-store/com.pingidentity.crypto.jwk.MasterKeySet.xml` in a text editor.

   The contents of the file are shown here.

   ```xml
   <?xml version="1.0" encoding="UTF-8"?>
   <con:config xmlns:con="http://www.sourceid.org/2004/05/config">
       <!--
           Uncomment the below attribute to use an external key for encryption of PF Master Key.

           <con:item name="keyId"> put the key Id here </con:item>
       -->
       <con:item name="jwkEncrypted">false</con:item>
   </con:config>
   ```

7. Uncomment the `<con:item name="keyId">` attribute and specify the key that you generated using AWS KMS. For example, after you've made the change, the file might look like the following.

   ```xml
   <?xml version="1.0" encoding="UTF-8"?>
   <con:config xmlns:con="http://www.sourceid.org/2004/05/config">
       <con:item name="keyId">b3867a2c-4d15-8e0c-6f7b-0b1e61f7ad36</con:item>
       <con:item name="jwkEncrypted">false</con:item>
   </con:config>
   ```

8. Save and close the file.

9. Start PingFederate.

## Result

After configuring and starting PingFederate, the PingFederate master key file, `pf.jwk`, is encrypted.