Cryptographic specifications for Field Encryption

  • Release version: Australia
  • Updated March 12, 2026
  • 3 minutes to read

    • Use cryptographic specifications to define the purpose, algorithm, key length, mode, and origin of your encryption key.

    Before you begin

    Role required: security_admin and sn_kmf.cryptographic_manager or sn_kmf.admin

    About this task

    This procedure shows how to configure generated keys. A data encryption key (known as a Module Key) is automatically populated once you have configured the Crypto Specifications.

    For customer-supplied key configuration, see Configure Customer-supplied keys for Field Encryption Enterprise.

    Procedure

    1. Navigate to All > System Security > Field Encryption > Field Encryption Experience.
    2. Select View module details from the Field Encryption modules overview to open the module record you want to configure.
      Note:
      The names displayed in the list are appended with the scope, for example, global.[your Field Encryption Module name].
    3. In the Cryptographic Specifications section, select Manage Specification Settings.
      Displays the Key alias section of the Crypto Specifications tab.
    4. In the Crypto Specifications form, fill out the fields as needed.
      Note:
      The fields are divided into sections. Select the Next or Back buttons to navigate between sections.
      Section Field Description
      Algorithm Definition Crypto module Displays the name of the selected cryptographic module.
      Crypto purpose The purpose of the selected algorithm, key, length, and mode. For Field Encryption, this field is read only and has a value of Symmetric Data Encryption/Decryption.
      Algorithm Select a type of algorithm used to accomplish the cryptographic purpose. The options available are filtered to align to the selected cryptographic purpose.
      Lifecycle Definition Applies to Displays the selected key that the lifecycle applies to.
      For field Select the type of control for the key that you want to apply for the lifecycle.
      • Expiration date
      • Future activation date
      • Future destruction date
      • Future renewal date
      • Future rotation date
      Key type
      Lifecycle default
      Order Order in which to process the key lifecycle state for the crypto specification. Lower values execute before higher values.
      Relative duration Number of years, months, or days the key is valid.
      Relative duration type Duration type of the lifecycle. Select from Years, Months, or Days.
      Relative operation Choose Before or After.
      Relative to Select a field that the duration is relative to.
      • Activation date
      • Compromise date
      • Deactivation date
      • Destruction date
      • Expiration date
      • Generation date
      • Last renewal date
      • Last rotated date
      • Revocation date
      Note:
      This field works together with the value selected in the Relative operation field.
      Type Select if the value for the key lifecycle is relative or absolute.
      Relative
      Enter a value that depends on other data entries in the system, such as key generation, activation, and deactivation.
      Absolute
      Enter an exact value, such as a date.
      Key Origin Crypto module Displays the Name of the selected cryptographic module.
      Origin Whether the key originated from or is supplied by the customer.
      • For starter, select Servicenow
      • For Enterprise, select Servicenow or Customer Supplied
      Key alias Name of the cryptographic module with the scope appended to the front of the name.
      Crypto purpose Displays the purpose of the selected algorithm, key, length, and mode. For Field Encryption, this field is read only and has a value of Symmetric Data Encryption/Decryption.
      Algorithm Displays the algorithm used to accomplish the crypto purpose.
      Key Creation Crypto module Displays the name of the selected cryptographic module.
      Key alias Displays the name of the cryptographic module with the scope appended to the front of the name.
      Generate Key Select this link to generate your data encryption key if you're using a generated key, and not a customer supplied key.
      Auto generate key If you don’t select the Generate key link, a data encryption key is automatically generated during the first time data must be encrypted using the cryptographic module.
      Crypto purpose Displays the purpose of the selected algorithm, key, length, and mode. For Field Encryption, this field is read only and has a value of Symmetric Data Encryption/Decryption.
      Origin Displays the value that was selected during the Key Origin section.
      Algorithm Displays the algorithm used to accomplish the crypto purpose.
    5. Select Go To Crypto Module to return to your Module record.
      In the Module record, there’s now an entry in the Module Keys related list. The Key alias field in the Crypto Specifications related list is now empty, since the key alias has moved to the new module key.

    What to do next

    For information on using a customer supplied key, see Configure Customer-supplied keys for Field Encryption Enterprise.