Key management for Edge Encryption

  • Release version: Washingtondc
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Key Management for Edge Encryption Platform Security

    This section details the responsibilities involved in managing encryption keys for the Edge Encryption product. It guides you through selecting and managing encryption keys essential for protecting your data.

    Show full answer Show less

    Key Features

    • Encryption Key Types: Choose between AES 128-bit and AES 256-bit encryption. A default AES 128-bit key must be defined.
    • Key Storage Options:
      • File Store: Keys stored in an unencrypted file, requiring careful protection.
      • Java KeyStore: Keys stored securely with password protection, allowing management of multiple keys via aliases.
      • Enterprise Key Management (EKM): Integrates with SafeNet KeySecure or Unbound Technology for key management.
    • Mass Key Rotation: Schedule mass encryption jobs when rotating keys to ensure all data is re-encrypted with the new key.
    • Keystore Management: Ensure the ServiceNow public key is imported into any custom keystores for validation and security.

    Key Outcomes

    By effectively managing your encryption keys, you enhance your data security within the Edge Encryption framework. This setup allows for streamlined key versioning with SafeNet, simplifying the process of updating keys without creating multiple aliases. Proper key management ensures that your data remains protected and compliant with security protocols.

    You are responsible for providing and managing the encryption keys used by Edge Encryption.

    This topic refers to keys for the Edge Encryption product. If you are looking for information on the Key Management Framework, which can be used with Column Level Encryption, see Key Management Framework.

    When obtaining and creating encryption keys to support the encryption types used by Edge Encryption, consider the following:
    • Whether to use AES 128-bit or AES 256-bit. You must define a default AES 128-bit encryption key, even if it is not used.
    • Whether to use file system, Java KeyStore, or Enterprise Key Management (EKM).
    • When to rotate encryption keys.
    • When and if to use a mass encryption job to re-encrypt data using the new key.

    Before removing a key from the proxy configuration files and the keystore, it is critical that you decrypt all data on the instance that uses the key. You can do this by adding a new encryption key and scheduling a mass key rotation job.

    Keystores

    Edge Encryption supports the following types of key storage.
    File store
    Keys are stored in a file in a file system that is accessible by the Edge Encryption proxy. Encryption keys stored in a file are not encrypted, so it is your responsibility to protect these files.
    Java KeyStore
    Keys are stored in Java's JCEKS KeyStore. A Java KeyStore is protected by a password, so it is more secure than storing keys in a file in the file store. A single Java KeyStore can store multiple keys, and the keys are identified by a key alias, making it easier to manage multiple keys.
    Enterprise Key Management (EKM)
    Keys are stored and retrieved with the SafeNet KeySecure or Unbound Technology key management systems.

    The Edge Encryption proxy ships with the Java JCEKS KeyStore file named keystore.jceks in the keystore directory. This keystore file contains the ServiceNow public key used to validate encryption rules signed by ServiceNow.

    Note:
    If using a keystore other than the base system Java JCEKS KeyStore, you must import the ServiceNow public key into your keystore. The public key alias is servicenow.

    In addition to the encryption keys, the Java JCEKS KeyStore is used to store the RSA key pair for digitally signing the encryption configuration and encryption rules that are stored in the instance, and the digital certificate that the Edge Encryption proxy uses to establish a secure connection with the browsers and any other clients.