Configure and upload your customer supplied key

Yokohama Platform security

Release

yokohama

ft:locale

en-US

ft:publication_title

Yokohama Platform security

ft:clusterId

psec

bundleId

psec

workflow

Platform

Configure and upload your customer supplied key

Release version: Yokohama

Updated January 30, 2025

2 minutes to read

You can use your own customer-supplied key instead of using the ServiceNow® system-generated keys.

Before you begin

Roles required: security_admin, sn_kmf.cryptographic_manager

If you’re NOT supplying your own keys, you don’t need to perform this procedure. To create a cryptographic module with ServiceNow® keys, go to Create a cryptographic module or Create cryptographic module for Field Encryption.

Note:

This procedure only applies to Column Level Encryption Enterprise functionality. See Activate Field Encryption Enterprise for more information.

Important:

You can’t revoke a customer supplied key.

Procedure

Navigate to All > System Security > Field Encryption Settings and verify that Customer Supplied Keys is selected.

Figure 1. Key source selection
Select Submit.
Return to System Security > Field Encryption Modules > > Create New.

Figure 2. Create new cryptographic module

Complete the Cryptographic Module form as follows:

Table 1. Cryptographic Module fields
Field	Description
Module Name	Enter a name for the module.
Crypto spec template	The default cryptographic template is selected.
Name	Auto-populates based on the module name and prepends the name with the scope to ensure which application is being applied. In this case, the global scope is applied.
Crypto module lifecycle state	Select Published to activate the crypto module.
Parent crypto module	The parent module column_level_encryption is selected automatically when using customer-supplied keys and encryption modules.

Select Submit.
Select the newly created cryptographic module from the table.
In the Crypto Specifications related list, select the auto-generated key alias with the AES 256 CFB algorithm.
The system populates the Crypto purpose and the Algorithm for Column Level Encryption automatically and jumps to the Key Origin stage.
Notice that Upload customer supplied key is the Origin and the Key alias is already populated.

Figure 3. Key origin
Select Next to move to the Key Creation stage.
There are two links:
- Download wrapping key downloads the key in a zip file containing an import token and a public key certificate, .PEM file. Use the import token to verify successful key wrapping according to security specification for the instance. Use the public key certificate .PEM file to wrap your customer supplied key securely before uploading it along with the token.
- Upload customer supplied key opens the file browser to select the token and the encrypted key that you wrapped.
Figure 4. Key creation upload links
Select Download wrapping key to save the token.
Save the token to the same destination location as the key is saved on your system. Don’t rename the downloaded token.
Run the BYOK command on a terminal to wrap the key.
For more information, refer to Wrap your customer-supplied key.
Select Upload customer supplied key.
Select Browse to select the two files, the wrapped key and the token file.
The Attachments window displays the two files.
Figure 5. Wrapped key attachments upload

Select a file to remove and reupload, if necessary.
Select OK.
You're returned to the Cryptographic Module screen. A confirmation message displays for a successful upload of the customer key. The key is also listed in the Module Keys related list.

Figure 6. Confirmation of key upload

What to do next

Now that you have finished configuring your cryptographic module with your customer-supplied key, move on to Create a module access policy