Configure Customer-supplied keys for Field Encryption Enterprise

  • Release version: Yokohama
  • Updated September 12, 2025
  • 1 minute to read

    • Bring your own data encryption key to the platform instead of using the one that ServiceNow generates.

    Before you begin

    Role required: KMF Admin or KMF Cryptographic Manager

    About this task

    If you're using Field Encryption Enterprise, you can use your own data encryption key to the platform rather than one generated by ServiceNow.

    You must have a symmetric key that has been generated outside of ServiceNow. The examples in this document rely on OpenSSL. For more information on OpenSSL, see details at https://www.openssl.org. If you are using other cryptographic tools, such as LibreSSL or GnuTLS, refer to the documentation for those products for similar steps.

    Procedure

    1. In a command line on your machine (example: Terminal), run the following command: openssl rand -out mykey.bin -hex 32.
      Save the mykey.bin file, which will be used in following steps.
    2. On your instance, navigate to All > System Security > Field Encryption > Field Encryption Settings.
    3. Change the Key Source field from ServiceNow Generated Keys to Customer Supplied Keys.
    4. Select Submit.

    What to do next

    Use the symmetric key you've created on your instance by following these steps:

    1. Configure properties for customer-supplied key
    2. Wrap your customer-supplied key
    3. Upload your customer-supplied key