Instance level keys in the Key Management Framework

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Instance level keys in the Key Management Framework

    The Key Management Framework (KMF) in ServiceNow Yokohama release uses a hierarchical key structure based on envelope encryption to securely manage and protect platform keys, including Customer Data Encryption Keys (CDEKs). This structure ensures all keys are protected through a chain of encryption keys stored and managed within a highly secure Hardware Security Module (HSM).

    Show full answer Show less

    Key Features

    • Hardware Security Module (HSM): KMF leverages the SafeNet KeySecure HSM, compliant with FIPS 140-2-L3, providing tamper-proof protection for root keys.
    • Envelope Encryption: Keys are encrypted (wrapped) by other keys in a layered manner:
      • Root Key (RK) decrypts the Instance Root Key (IRK).
      • IRK encrypts the Instance Key Encryption Key (IKEK).
      • IKEK encrypts module keys and Customer Data Encryption Keys (CDEKs).
    • Instance-Level Keys: Several keys unique to each instance are defined for cryptographic operations, such as authentication, encryption, signing, and password field management.

    Instance-Level Keys and Their Purposes

    • Root Key (RK): Stored in HSM; decrypts the Instance Root Key.
    • Instance Root Key (IRK): Unique per instance; encrypts several internal keys; stored in HSM.
    • Instance HMAC Key (IHK): Used for message authentication to verify integrity and authenticity of module keys.
    • Instance Key Encryption Key (IKEK): Wraps module keys and CDEKs; stored securely.
    • Instance Asymmetric Encryption Key (IAEK): Used for asymmetric encryption during key exchange and data replication approvals.
    • Instance Signature Key (ISK): Used internally for digital signing operations.
    • Password2 (PW2) Key: Fully managed by KMF for encrypting PW2 fields.
    • Customer Data Encryption Keys (CDEKs): Envelope encrypted by IKEK; used for encrypting customer data.
    • Instance Data Replication (IDR) Data Encryption Key (DEK): Used specifically for encrypting data during the IDR process.

    Practical Benefits for ServiceNow Customers

    ServiceNow customers can trust that their instance-level cryptographic keys are managed through a robust, secure, and compliant framework. Envelope encryption via the HSM-backed key chain ensures strong protection of sensitive keys and data. This framework supports secure data encryption, authentication, key exchange, and signing operations essential for maintaining data confidentiality and integrity across the ServiceNow AI Platform.

    Learn about the Key Management Framework (KMF) key structure, which uses envelope encryption to ensure that all platform keys under KMF management are protected through a chain of keys. Customer Data Encryption Keys (CDEKs) created by KMF are also included in this structure

    .

    KMF key storage architecture

    The KMF key structure uses the SafeNet KeySecure Hardware Security Module (HSM). The HSM is designed to be physically and electronically tamper-proofed to meet the FIPS 140-2-L3 security standard. KMF uses envelope encryption to ensure that all platform keys under KMF management are protected through a chain of keys, including the module keys that can be generated by KMF.

    Envelope encryption

    Envelope encryption is the practice of encrypting a key with another key, also referred to as wrapping. Module keys are envelope encrypted by the Instance Key Encryption Key (IKEK), which in turn is envelope encrypted by the Instance Root Key (IRK), which is finally envelope encrypted by the Root Key (RK). Since the IRK can only be accessed by the HSM, the IKEK must be uploaded for decryption.

    Envelope encryption flow for ServiceNow keys

    At the instance level, KMF defines several keys that are used internally for varying cryptographic purposes throughout the ServiceNow AI Platform.

    This table provides examples of a subset of available keys that are managed and protected by KMF.

    Key Location Description
    Root Key (RK) Hardware Security Model (HSM) Root key used to decrypt the IRK.
    Instance Root Key (IRK) HSM A key unique to your instance that is used to envelope-encrypt several instance internal keys.
    Instance HMAC Key (IHK) Instance Unique per instance, the IHK is used internally for Hash-Based Message Authentication Code (HMAC) purposes.

    The IHK helps to verify the authenticity and integrity of module keys and is wrapped on either KeySecure or the File Key Store.
    Instance Key Encryption Key (IKEK) Instance

    The IKEK wraps the module keys and is wrapped on either KeySecure or the File Key Store.
    Instance Asymmetric Encryption Key (IAEK) Instance A key unique to your instance that is used internally for asymmetric encryption purposes.

    The IAEK is used to transmit confidential messages between an instance during Key Exchange or Instance Data Replication consumer approval.
    Instance Signature Key (ISK) Instance A key unique to your instance that is used internally for signing purposes.
    Password2 (PW2) Instance With KMF, the key for PW2 fields is fully managed by KMF.
    Customer Data Encryption Key (CDEK) Instance Encryption keys created through KMF are envelope-encrypted by the IKEK.
    Instance Data Replication (IDR) Data Encryption Key (DEK) Instance Specific encryption keys used for the IDR process.