United States - Global
Create a cryptographic module life-cycle policy
-
- UpdatedAug 1, 2024
- 2 minutes to read
- Xanadu
- Now Platform Security
Create a cryptographic module life-cycle policy to place limits on cryptographic modules, such as how long the key is good for. Create policies to safeguard cryptographic modules by limiting their exposure.
Before you begin
Role required: sn_kmf.cryptographic_manager
About this task
A cryptographic module life-cycle policy is an instance-level policy. The more exposure that a cryptographic key has, the more likely it can be compromised. Safeguard keys by limiting how long the keys can be used and who can use them.
The following features govern cryptographic modules:
Instance policies set boundaries for the instance. For example, if you specify in an instance policy that the expiration date should never be more than two years after the activation date, you can’t use the life-cycle rules to set an expiration date five years after the activation date.
Instance life-cycle templates enable you to set different policies for different keys. Templates offer default life-cycle rules for cryptographic modules so that they don't have to be re-created for every module. For example, you can set different expiration dates for symmetric data encryption keys than for public key wrapping keys.
Life-cycle rules affect the keys directly. For example, if you specify in the life-cycle rules that the expiration date should be two years after the activation date, keys will expire two years after the activation date.
Procedure
What to do next
If you want to add exceptions to this life-cycle policy at the module level, see Create module lifecycle policy exceptions.
Related Content
- Cryptographic module overview
Cryptographic modules are the centerpiece of (KMF). They define the specific cryptographic mechanisms used for cryptographic operations for a given use case.
- Module access policy overview
Module access policies (MAPs) are access controls that you apply to your cryptographic modules. Use these access policies to decide which users and scripts can access data encrypted by a cryptographic module.
- Instance level keys in the Key Management Framework
The Key Management Framework (KMF) architecture introduces a key structure built with security in mind. Using a Hardware Security Module (HSM), KMF uses envelope encryption to ensure that all platform keys under KMF management are protected through a chain of keys. Customer Data Encryption Keys (CDEKs) created by KMF are also included.
- Cryptographic specification
The Cryptographic specification is the component that defines aspects of your cryptographic module, including its cryptographic purpose and which encryption algorithm to use.
- Key Management Framework key lifecycle states
KMF supports several cryptographic key lifecycle states through the enforcement of specific allowable actions. For example, only keys that are in the active state can be used fully for their intended cryptographic purpose. The following table provides further detail on the varying key lifecycle states.
- Roles installed with Key Management Framework
The Key Management Framework (KMF) introduces specific roles for cryptographic module and key management-related configurations.
- Configure field encryption settings to select key type
Configure your field encryption settings to use ServiceNow supplied keys or your own customer-supplied keys (CSK) for encryption on the ServiceNow AI Platform.
- Create a cryptographic module
Create a cryptographic module to define the mechanisms used for cryptographic operations. After you create the module, you create a cryptographic specification, where you define an algorithm for encryption and generates a key.
- Create a module access policy
Create module access policies to decide which users and scripts can access data encrypted by a cryptographic module.
- Module access policy visualization
Use module access policy visualization to view all relevant cryptographic module information on a single UI page.
- Module access policy debugger
Use the module access policy debugger to review logging information and understand why your users are or aren’t granted access to an encryption context.