Create a cryptographic module with external key wrapping

  • Rversion finale: Australia
  • Mis à jour 12 mars 2026
  • 1 minute de lecture

    • Create a cryptographic module that uses external Amazon Web Services Key Management System (AWS KMS) key wrapping to encrypt ServiceNow data.

    Avant de commencer

    Roles required: admin, security_admin, and sn_kmf.cryptographic_manager

    Confirm that you have:

    Pourquoi et quand exécuter cette tâche

    A cryptographic module with external key wrapping generates encryption keys that are wrapped (encrypted) by your AWS KMS key instead of ServiceNow's internal key management. ServiceNow can't decrypt your data without access to your external AWS key.

    Procédure

    1. Navigate to All > System Security > Field Encryption Modules.
    2. Select New.
    3. Enter a name for the module in the Name field.
    4. Select the External wrap key check box.
      Important :
      If Externally Wrap Key isn't selected, the module uses internal key wrapping, which doesn't use your AWS KMS key.
    5. In the External KMS Configuration field, enter or use the search function to select your EKMS configuration.
    6. Select Submit to save the cryptographic module.

    Résultats

    The cryptographic module is created and ready to be used for encrypting field data. The encryption key is wrapped by your AWS KMS key, establishing external key management.

    When you enable external key wrapping, all keys for this module are automatically rewrapped with your External Key Encryption Key (EKEK). This protects them with your EKMS key. Both existing keys and future keys you create will be externally wrapped.

    Que faire ensuite

    Next steps: