Key management for Edge Encryption
Summarize
Summary of Key Management for Edge Encryption
This guide outlines the responsibilities for managing encryption keys used by the Edge Encryption product. It highlights key considerations for obtaining and creating encryption keys, including the choice of encryption standards and key storage methods. Understanding these elements is crucial for effective key management in Edge Encryption.
Show less
Key Features
- Encryption Types: Decide between AES 128-bit or AES 256-bit encryption. A default AES 128-bit key must be defined, even if it is not actively used.
- Key Storage Options: Choose from three types of key storage:
- File Store: Keys are stored in an accessible file, but they are not encrypted, requiring additional protection.
- Java KeyStore: Provides a more secure password-protected option, capable of storing multiple keys identified by aliases.
- Enterprise Key Management (EKM): Utilizes systems like SafeNet KeySecure for secure key management.
- Key Rotation: Establish when to rotate encryption keys and consider using mass encryption jobs for re-encrypting data with new keys.
- Keystore Management: The Java JCEKS KeyStore file, included with the Edge Encryption proxy, contains the ServiceNow public key necessary for validating encryption rules. If using a different keystore, the ServiceNow public key must be imported.
- SafeNet Key Versioning: Simplifies key management by allowing key version increments while maintaining the same alias, rather than creating new aliases for each key.
Key Outcomes
By effectively managing your encryption keys, you ensure the security and integrity of data processed by Edge Encryption. Following the outlined practices, such as proper key rotation and secure storage methods, will help maintain compliance and protect sensitive information within your ServiceNow instance.
You are responsible for providing and managing the encryption keys used by Edge Encryption.
This topic refers to keys for the Edge Encryption product. If you are looking for information on the Key Management Framework, which can be used with Field Encryption, see Key Management Framework.
- Whether to use AES 128-bit or AES 256-bit. You must define a default AES 128-bit encryption key, even if it is not used.
- Whether to use file system, Java KeyStore, or Enterprise Key Management (EKM).
- When to rotate encryption keys.
- When and if to use a mass encryption job to re-encrypt data using the new key.
Before removing a key from the proxy configuration files and the keystore, it is critical that you decrypt all data on the instance that uses the key. You can do this by adding a new encryption key and scheduling a mass key rotation job.
Keystores
- File store
- Keys are stored in a file in a file system that is accessible by the Edge Encryption proxy. Encryption keys stored in a file are not encrypted, so it is your responsibility to protect these files.
- Java KeyStore
- Keys are stored in Java's JCEKS KeyStore. A Java KeyStore is protected by a password, so it is more secure than storing keys in a file in the file store. A single Java KeyStore can store multiple keys, and the keys are identified by a key alias, making it easier to manage multiple keys.
- Enterprise Key Management (EKM)
- Keys are stored and retrieved with the SafeNet KeySecure or Unbound Technology key management systems.
The Edge Encryption proxy ships with the Java JCEKS KeyStore file named keystore.jceks in the keystore directory. This keystore file contains the ServiceNow public key used to validate encryption rules signed by ServiceNow.
In addition to the encryption keys, the Java JCEKS KeyStore is used to store the RSA key pair for digitally signing the encryption configuration and encryption rules that are stored in the instance, and the digital certificate that the Edge Encryption proxy uses to establish a secure connection with the browsers and any other clients.