Key management for Edge Encryption

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Key management for Edge Encryption

    As a ServiceNow customer using Edge Encryption, you are responsible for managing the encryption keys that protect your data. This includes selecting key types, storage methods, and handling key lifecycle tasks such as rotation and decommissioning. Proper key management is crucial to maintain data security and ensure seamless encryption operations within your Edge Encryption deployment.

    Show full answer Show less

    Key Features

    • Encryption Key Types: Choose between AES 128-bit and AES 256-bit encryption. A default AES 128-bit key must be defined even if unused.
    • Key Storage Options:
      • File Store: Keys are stored as files accessible by the Edge Encryption proxy but are not encrypted, so securing these files is your responsibility.
      • Java KeyStore (JCEKS): More secure than file storage by using password protection and supporting multiple keys identified by aliases for easier management.
      • Enterprise Key Management (EKM): Supports integration with SafeNet KeySecure or Unbound Technology systems for centralized key management.
    • Key Rotation and Re-encryption: You must plan when to rotate keys and whether to run mass encryption jobs to re-encrypt data using new keys. Before removing keys, decrypt all data associated with them, typically by adding a new key and scheduling a rotation job.
    • ServiceNow Public Key: The Edge Encryption proxy includes a Java JCEKS KeyStore with the ServiceNow public key to validate signed encryption rules. If using an alternative keystore, import this public key with the alias servicenow.
    • Digital Signing and Certificates: The Java JCEKS KeyStore also stores RSA key pairs for signing encryption configurations and certificates for secure proxy-client connections.
    • SafeNet Key Versioning: Simplifies key updates by maintaining the same key alias and incrementing the version number, avoiding the need to create new aliases for each key change.

    Key Outcomes

    By effectively managing encryption keys in Edge Encryption, you ensure robust data protection aligned with your organization's security policies. Leveraging secure keystores and planning key rotations minimizes risks associated with key compromise or data inaccessibility. Integration with enterprise key management solutions like SafeNet or Unbound Technology enhances scalability and governance of encryption keys. Proper use of ServiceNow public keys and digital signatures maintains trust and integrity of encryption configurations.

    You are responsible for providing and managing the encryption keys used by Edge Encryption.

    This topic refers to keys for the Edge Encryption product. If you are looking for information on the Key Management Framework, which can be used with Field Encryption, see Key Management Framework.

    When obtaining and creating encryption keys to support the encryption types used by Edge Encryption, consider the following:
    • Whether to use AES 128-bit or AES 256-bit. You must define a default AES 128-bit encryption key, even if it is not used.
    • Whether to use file system, Java KeyStore, or Enterprise Key Management (EKM).
    • When to rotate encryption keys.
    • When and if to use a mass encryption job to re-encrypt data using the new key.

    Before removing a key from the proxy configuration files and the keystore, it is critical that you decrypt all data on the instance that uses the key. You can do this by adding a new encryption key and scheduling a mass key rotation job.

    Keystores

    Edge Encryption supports the following types of key storage.
    File store
    Keys are stored in a file in a file system that is accessible by the Edge Encryption proxy. Encryption keys stored in a file are not encrypted, so it is your responsibility to protect these files.
    Java KeyStore
    Keys are stored in Java's JCEKS KeyStore. A Java KeyStore is protected by a password, so it is more secure than storing keys in a file in the file store. A single Java KeyStore can store multiple keys, and the keys are identified by a key alias, making it easier to manage multiple keys.
    Enterprise Key Management (EKM)
    Keys are stored and retrieved with the SafeNet KeySecure or Unbound Technology key management systems.

    The Edge Encryption proxy ships with the Java JCEKS KeyStore file named keystore.jceks in the keystore directory. This keystore file contains the ServiceNow public key used to validate encryption rules signed by ServiceNow.

    Note:
    If using a keystore other than the base system Java JCEKS KeyStore, you must import the ServiceNow public key into your keystore. The public key alias is servicenow.

    In addition to the encryption keys, the Java JCEKS KeyStore is used to store the RSA key pair for digitally signing the encryption configuration and encryption rules that are stored in the instance, and the digital certificate that the Edge Encryption proxy uses to establish a secure connection with the browsers and any other clients.