Key management for Edge Encryption

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Key management for Edge Encryption

    As a ServiceNow customer using Edge Encryption, you are responsible for providing and managing the encryption keys that secure your data. This guidance focuses specifically on keys for the Edge Encryption product, distinct from keys managed by the Key Management Framework used with Field Encryption.

    Show full answer Show less

    Effective key management involves decisions around encryption strength, key storage methods, key rotation timing, and data re-encryption strategies. Proper handling ensures your encrypted data remains secure and accessible throughout key lifecycle events.

    Key Features

    • Encryption types: You must define a default AES 128-bit key even if you opt to use AES 256-bit for stronger encryption.
    • Key storage options:
      • File store: Keys stored as files accessible by the Edge Encryption proxy, which are unencrypted and require manual protection.
      • Java KeyStore (JCEKS): A password-protected, more secure option that supports multiple keys identified by aliases for easier management.
      • Enterprise Key Management (EKM): Integration with external systems like SafeNet KeySecure or Unbound Technology for centralized key storage and retrieval.
    • Keystore contents: The Edge Encryption proxy includes a Java JCEKS KeyStore file (keystore.jceks) containing the ServiceNow public key (alias servicenow) used to validate encryption rules, along with RSA key pairs and digital certificates for secure communications.
    • SafeNet key versioning: Simplifies key rotations by maintaining the same alias and incrementing the key version, avoiding the need to create new alias names for each key change.

    Practical Recommendations

    • Before removing any encryption key from proxy configuration or keystores, ensure all data encrypted with that key is decrypted or re-encrypted using a new key by scheduling a mass key rotation job.
    • If you use a keystore other than the default Java JCEKS, import the ServiceNow public key with the alias servicenow to maintain validation of encryption rules.
    • Choose key storage based on your security requirements: file store for simplicity, Java KeyStore for password protection, or EKM for enterprise-grade centralized management.

    Expected Outcomes

    By following these key management practices, you ensure:

    • Secure storage and management of encryption keys protecting your Edge Encryption data.
    • Seamless key rotation with minimal disruption to encrypted data accessibility.
    • Validated and trusted encryption configurations through digital signatures and certificates.
    • Compliance with security best practices by properly safeguarding key files and keystore credentials.

    You are responsible for providing and managing the encryption keys used by Edge Encryption.

    This topic refers to keys for the Edge Encryption product. If you are looking for information on the Key Management Framework, which can be used with Field Encryption, see Key Management Framework.

    When obtaining and creating encryption keys to support the encryption types used by Edge Encryption, consider the following:
    • Whether to use AES 128-bit or AES 256-bit. You must define a default AES 128-bit encryption key, even if it is not used.
    • Whether to use file system, Java KeyStore, or Enterprise Key Management (EKM).
    • When to rotate encryption keys.
    • When and if to use a mass encryption job to re-encrypt data using the new key.

    Before removing a key from the proxy configuration files and the keystore, it is critical that you decrypt all data on the instance that uses the key. You can do this by adding a new encryption key and scheduling a mass key rotation job.

    Keystores

    Edge Encryption supports the following types of key storage.
    File store
    Keys are stored in a file in a file system that is accessible by the Edge Encryption proxy. Encryption keys stored in a file are not encrypted, so it is your responsibility to protect these files.
    Java KeyStore
    Keys are stored in Java's JCEKS KeyStore. A Java KeyStore is protected by a password, so it is more secure than storing keys in a file in the file store. A single Java KeyStore can store multiple keys, and the keys are identified by a key alias, making it easier to manage multiple keys.
    Enterprise Key Management (EKM)
    Keys are stored and retrieved with the SafeNet KeySecure or Unbound Technology key management systems.

    The Edge Encryption proxy ships with the Java JCEKS KeyStore file named keystore.jceks in the keystore directory. This keystore file contains the ServiceNow public key used to validate encryption rules signed by ServiceNow.

    Note:
    If using a keystore other than the base system Java JCEKS KeyStore, you must import the ServiceNow public key into your keystore. The public key alias is servicenow.

    In addition to the encryption keys, the Java JCEKS KeyStore is used to store the RSA key pair for digitally signing the encryption configuration and encryption rules that are stored in the instance, and the digital certificate that the Edge Encryption proxy uses to establish a secure connection with the browsers and any other clients.