I have several questions regarding the encryption module.

SotaT · 4 weeks ago

1. Considering that the selected encryption algorithm or key length may become compromised in the future, is it possible to configure ServiceNow to allow for the replacement of cryptographic modules?
Additionally, is it possible to standardize the application interfaces for cryptographic modules in advance?

2.Can we switch to another secure cipher immediately when the current one becomes unusable?
Also, since vulnerabilities can arise depending on how the cipher is used (e.g., operating mode), is it possible to select a secure combination (e.g., algorithm + mode + key length)?

3.Is the ServiceNow cryptographic module certified based on ISO/IEC 19790?

4.The critical private keys used for decrypting encrypted data and performing digital signatures must be stored in tamper-resistant cryptographic modules to protect them from unauthorized tampering or access.
To what extent is ServiceNow's tamper resistance guaranteed?

stevemarkovick · 2 weeks ago

Great questions—this boils down to algorithm agility, certified, and key custody. In practice I’d aim for: AES-256 with AEAD (GCM), strict mode/config baselines, short rotation windows, and re-encryption workflows to swap ciphers. Keep private keys in an HSM or external KMS (KMIP/PKCS#11), and audit via the ServiceNow Trust site. For ISO/IEC 19790/FIPS 140-3 specifics, open a Now Support ticket with Security/Edge Encryption.