ServiceNow Edge Encryption With Edge Encryption, you control and possess all encryption keys for encrypted data. Edge Encryption is a proxy application that resides in your network. It encrypts data before the data is sent over the Internet to your instance (encrypted while in flight). The data remains encrypted while stored in the instance (encrypted while at rest). The encrypted data is sent back to the proxy application when requested (encrypted in motion). Finally, the encrypted data is decrypted by the proxy before being sent to the client in your network. Your security administrator specifies which fields are to be encrypted. AES 128 or AES 256 encryption algorithms can be used. Attachments can be encrypted on a table by table basis. Depending on the encryption type chosen for a field, certain levels of UI filtering, sorting, or compare functionality can be preserved. Figure 1. Edge Encryption You own and manage the encryption keys. Encryption keys are never sent to the instance. ServiceNow never possesses the clear data and cannot see it. Three key storage mechanisms are supported: file store, Java KeyStore, and SafeNet. The Edge Encryption proxy obtains encryption keys from one of the key stores to encrypt and decrypt data. This podcast offers additional information on Edge Encryption. soundcloudhttps://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/285885322&auto_play=false&hide_related=false&show_comments=true&show_user=true&show_reposts=false&visual=true- topic/object file:/mnt/jenkins/workspace/dita/zoominV4_2.4.4_HCodeFreezebranch_004-test-sn-helsinki-build/doc/source/administer/edge-encryption/concept/c_EdgeEncryptionOverview.ditaobject:1;47:223 Edge Encryption limitationsEdge Encryption impacts system functions. Carefully evaluate the impact of encrypting a field. Getting started with Edge EncryptionSuccessful implementation of Edge Encryption requires planning and preparation. Edge Encryption application and proxyEdge Encryption has these components: the Edge Encryption applications installed via a plugin and the Edge Encryption proxy that can be downloaded from one of the menu options from the Edge Encryption application.Encryption types For each encryption type, Edge Encryption provides support for AES with 128-bit encryption keys. If the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files are installed, it also provides support for 256-bit encryption keys for each of the encryption types.Encrypted attachmentsYou can encrypt attachments for specific tables.Encryption patternsYou can specify string patterns to be replaced by tokens before being sent to and stored in the instance.Proxy databaseThe proxy database is used to support the order preserving encryption type and encryption patterns. Key managementYou are responsible for providing and managing the encryption keys used by Edge Encryption.Key store managementEncryption keys must be stored in one or more encryption key stores. Encryption key rotationYou can perform encryption key rotation from the instance. You can add a new key, change the default key assignment, and then schedule a mass key rotation job.Request Edge EncryptionThe Edge Encryption plugin (com.glide.edgeencryption) is available as a separate subscription. Edge Encryption proxy installationInstall one or more Edge Encryption proxy applications on your network.Add an additional proxy on LinuxAfter the first Edge Encryption proxy is properly configured and tested, you can set up additional proxies on Linux. Add an additional proxy on WindowsAfter the first Edge Encryption proxy is configured, you can set up additional proxies on Windows. Set up multiple provider SSO with Edge EncryptionIf implementing multiple provider single sign-on (SSO) with Edge Encryption enabled, some users may need to log in to your instance through the Edge Encryption proxy server, while other users may not. Set up multiple provider SSO to enable logging in through the Edge Encryption proxy server URL or the instance URL. Edge Encryption ODBC driver integration Configure your ODBC driver to query data encrypted by Edge Encryption. The Edge Encryption proxy server encrypts ODBC driver requests to the ServiceNow instance when Edge Encryption is integrated with the ODBC driver.Edge Encryption MID Server integrationConfigure the MID Server to route data through an Edge Encryption proxy server.Configure Edge Encryption on the instanceConfigure Edge Encryption by defining encryption keys, assigning fields and attachments to be encrypted, and specifying encryption patterns.Start the Edge Encryption proxyAfter an Edge Encryption proxy is installed and configured, you can start the proxy from the command line.Stop the Edge Encryption proxyYou can stop an Edge Encryption proxy from the command line.Update an Edge Encryption proxyYou must manually update each Edge Encryption proxy.Uninstall the Edge Encryption proxy on LinuxYou can uninstall the Edge Encryption proxy. If you are upgrading the proxy, it is not necessary to shut down and uninstall the current version. Uninstall the Edge Encryption proxy on WindowsYou can uninstall the Edge Encryption proxy. If you are upgrading the proxy, it is not necessary to shut down and uninstall the current version. Scheduled encryption jobsIf you have the security-admin role, you can schedule several different types of jobs to be performed by the Edge Encryption proxy. Edge Encryption monitoringYou can monitor sessions that use Edge Encryption proxies.Edge Encryption loggingEdge Encryption logs information on the instance and on each proxy server.Encryption rulesIt may be necessary to write encryption rules when you want to encrypt data passed as part of GET and POST requests to processors or APIs on the instance. You can create rules for mapping elements of fields in requests to Glide table-field names.Dictionary attributesYou can add Edge Encryption dictionary attributes to tables and fields. Installed with Edge EncryptionSeveral types of components are installed with the Edge Encryption feature.