Configure Customer-supplied keys for Field Encryption Enterprise

  • Rversion finale: Australia
  • Mis à jour 12 mars 2026
  • 1 minute de lecture

    • Bring your own data encryption key to the platform instead of using the one that ServiceNow generates.

    Avant de commencer

    Role required: sn_kmf.admin or sn_kmf.cryptographic_manager

    Pourquoi et quand exécuter cette tâche

    If you're using Field Encryption Enterprise, you can use your own data encryption key to the platform rather than one generated by ServiceNow.

    You must have a symmetric key that has been generated outside of ServiceNow. The examples in this document rely on OpenSSL. For more information on OpenSSL, see details at https://www.openssl.org. If you are using other cryptographic tools, such as LibreSSL or GnuTLS, refer to the documentation for those products for similar steps.

    Procédure

    1. In a command line on your machine (example: Terminal), run the following command: openssl rand 32 > mykey.bin.
      Remarque :
      When using a 128-bit key, run openssl rand 16 > mykey.bin instead of 32.
      Save the mykey.bin file, which will be used in following steps.
    2. On your instance, navigate to All > System Security > Field Encryption > Field Encryption Settings.
    3. Change the Key Source field from ServiceNow Generated Keys to Customer Supplied Keys.
    4. Select Submit.

    Que faire ensuite

    Use the symmetric key you've created on your instance by following these steps:

    1. Configure properties for customer-supplied key
    2. Wrap your customer-supplied key
    3. Upload your customer-supplied key