Create a cryptographic module with external key wrapping

  • Freigeben Version: Australia
  • Aktualisiert 12. März 2026
  • 1 Minute Lesedauer

    • Create a cryptographic module that uses external Amazon Web Services Key Management System (AWS KMS) key wrapping to encrypt ServiceNow data.

    Vorbereitungen

    Roles required: admin, security_admin, and sn_kmf.cryptographic_manager

    Confirm that you have:

    Warum und wann dieser Vorgang ausgeführt wird

    A cryptographic module with external key wrapping generates encryption keys that are wrapped (encrypted) by your AWS KMS key instead of ServiceNow's internal key management. ServiceNow can't decrypt your data without access to your external AWS key.

    Prozedur

    1. Navigate to All > System Security > Field Encryption Modules.
    2. Select New.
    3. Enter a name for the module in the Name field.
    4. Select the External wrap key check box.
      Wichtig:
      If Externally Wrap Key isn't selected, the module uses internal key wrapping, which doesn't use your AWS KMS key.
    5. In the External KMS Configuration field, enter or use the search function to select your EKMS configuration.
    6. Select Submit to save the cryptographic module.

    Ergebnisse

    The cryptographic module is created and ready to be used for encrypting field data. The encryption key is wrapped by your AWS KMS key, establishing external key management.

    When you enable external key wrapping, all keys for this module are automatically rewrapped with your External Key Encryption Key (EKEK). This protects them with your EKMS key. Both existing keys and future keys you create will be externally wrapped.

    Nächste Maßnahme

    Next steps: