Key Management Framework key lifecycle states

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Key Management Framework key lifecycle states

    The Key Management Framework (KMF) in ServiceNow manages cryptographic keys through defined lifecycle states, ensuring keys are used appropriately and securely. Each key state governs what actions are permitted, enabling effective key management, compliance, and security controls within cryptographic modules.

    Show full answer Show less

    Key Lifecycle States and Their Practical Use

    • Active: Only one key per cryptographic specification can be active at a time. Active keys are fully usable for cryptographic operations like encryption and signing.
    • Compromised: Keys suspected of being exposed can be marked compromised. These keys cannot create new cryptographic content but may decrypt or verify existing content.
    • Deactivated: When keys are no longer current (such as after rotation), they are deactivated. Deactivated keys cannot generate new content but can still decrypt or verify existing data. Note that compromised and revoked keys are also considered deactivated.
    • Destroyed: Keys are permanently removed and cannot be used for any purpose. Destroying a key makes associated data inaccessible, so caution is required before performing this action. Deactivated keys can be destroyed automatically after a configured period of inactivity.
    • Generated: Multiple keys can be generated, but only one can become active if no active key exists. The first generated key is automatically active. New keys can be generated and activated even if others are generated but inactive.
    • Renewed: Active keys with expiration dates can be renewed to extend their lifecycle by postponing the expiration date based on the original active-to-expiration duration.
    • Resume: Suspended keys can be resumed to active status if there is no other active key for the cryptographic specification.
    • Revoked: Active or suspended keys can be revoked to prevent new cryptographic operations, while still allowing existing content access. Multiple revoked keys can exist simultaneously.
    • Rotated: Key rotation deactivates the current active key and activates a new one, either by generating a new key or importing an existing key.
    • Suspended: Keys can be suspended, preventing their use until resumed. Several suspended keys can exist; resumption requires no other active key for that specification.

    Practical Implications for ServiceNow Customers

    This lifecycle management enables customers to control key usage tightly, supporting compliance with security policies and reducing the risk of key compromise. Understanding these states helps in configuring cryptographic modules, access policies, and lifecycle policies effectively. Customers can automate key destruction, renew keys to prolong usability, and rotate keys to maintain security hygiene.

    ServiceNow customers can also leverage related features such as configuring field encryption settings, creating cryptographic modules and policies, and using access policy visualization and debugging tools to streamline key management operations.

    KMF supports several cryptographic key lifecycle states through the enforcement of specific allowable actions. For example, only keys that are in the active state can be used fully for their intended cryptographic purpose. The following table provides further detail on the varying key lifecycle states.

    Key lifecycle state or action Description
    Active There can be only one active key for a given cryptographic specification in a cryptographic module.
    Compromised Several keys can exist in the compromised state for revocation in a given cryptographic specification in a cryptographic module. Any active or suspended key can be moved to a compromised state.

    Compromised keys cannot be used to generate new content, such as encrypting or signing, but may still be used to identify the purpose of existing content, such as decryption or verification.
    Deactivated Any active key can be deactivated. There could be several keys in a deactivated state for a given cryptographic specification in a cryptographic module.

    For example, when the key is rotated, the current active key is deactivated. Deactivated keys cannot be used to generate new content, such as encrypting and signing, but may still be used to identify purposes of existing content, such as decryption or verification.

    Note:
    Compromised and revoked keys are treated as deactivated keys.
    Destroyed When a key is destroyed key material is permanently removed and can no longer be used for any cryptographic purpose. Any deactivated key can be destroyed using lifecycle automation when it has not been used in the configured designated time frame. There could be several keys in a destroyed state for a given cryptographic specification in a cryptographic module.
    Warning:
    Data associated with a destroyed key can no longer be accessed, therefore extreme caution should be exercised when performing a destroy key action.
    Generated Multiple keys can exist in the generated state for a given cryptographic specification in a cryptographic module.

    A generated key can be moved to an active state when no active key exists for the given cryptographic specification. The first key generated is automatically be set to active.

    Note:
    If the choice is to generate a new key, then a new key is generated and made active even though there are keys in a generated state for the given cryptographic specification.
    Renewed An active key that has an expiration date can be renewed any number of times to extend the lifecycle period of the key.
    Note:
    The difference between the activation date and expiration date is calculated and the expiration date is postponed by that duration from the current day.
    Resume The UI action is available on suspended keys to move them back to an active state when no other active key exists for the given cryptographic specification.
    Revoked Any active or suspended key can be moved to the revoked state.

    Revoked keys cannot be used to generate new content, such as encrypting or signing, but may still be used to identify the purpose of existing content, such as for decryption or verification.

    Several keys in a revoked state may exist for a given cryptographic specification in a cryptographic module.
    Rotated Key rotation results in deactivating the current active key and making another key active. Select the new active key from the following:
    • Generation of a new key.
    • Point to an existing imported key. Any active key can be rotated.
    Suspended There could be several keys in the suspended state for a given cryptographic specification in a cryptographic module. When the key is suspended, the key can be resumed and reassigned to an active state when no other active key exists for that cryptographic specification.