How to use a custom/own key (BYOK) for AES-256-GCM Encryption & Decrytion in Servicenow KMF?

VenkatanathS · ‎03-24-2026

Hello ServiceNow Community,
I am working on the Key Management Framework (KMF) module in ServiceNow and need help with using our own organization-managed key for encryption and decryption instead of the ServiceNow-generated key.

Current Setup

Cryptographic Specification:
∙ Purpose: Symmetric Data Encryption / Decryption
∙ Algorithm: AES-256 GCM
∙ Origin: ServiceNow (auto-generated key)

Requirement

We want to replace the ServiceNow-generated key with our own organization-managed key (BYOK — Bring Your Own Key).
Specifically, we need to know:

1. How to change the Key Origin from ServiceNow to a customer-imported key?
2. How to generate and wrap our own key for import?
3. How to upload the custom key into the KMF module ?
4. Are there any role or configuration prerequisites to be aware of?

Any help, documentation links, or community examples would be greatly appreciated!
Thank you in advance! 🙏

Kathy K · ‎03-25-2026

You may find this product documentation reference helpful in your work: https://www.servicenow.com/docs/r/zurich/platform-security/platform-encryption/import-key-webservice...https://www.servicenow.com/docs/r/zurich/platform-security/platform-encryption/import-key-webservice...

roopagowda · 3 weeks ago

Below product documentation has answers to most of your questions, please refer to this.

https://www.servicenow.com/docs/r/yokohama/platform-security/upload-customer-supplied-key.html?conte...

and below link has details on how to generate key, wrap the key using commands:

https://www.servicenow.com/docs/r/zurich/platform-security/fe-config-customer-supplied-keys.html