Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Encrypt fields using encryption configurations

Encrypt fields using encryption configurations

Encrypt fields by creating encryption configurations.

To configure Edge Encryption, you must be connected to the instance through the proxy. Test all changes on a non-production instance before making the changes to the production instance.

Define encryption keys

After setting up one or more proxies and configuring a default encryption key, the instance verifies that the keys are available to all proxies. You cannot make an encryption key the default key unless all proxies have the key. Once a default key is defined, you can create encryption configurations.

Assign fields and attachments to be encrypted

Assigning fields and attachments to be encrypted means assigning an encryption type to the field or attachment. Before marking a field as encrypted, evaluate these issues.
  • Determine what system features might be impacted.
  • Examine all scripts for use of the field.
  • Make any desired adjustments to the field's size. After a field has been configured for encryption, the field size cannot be changed.

Marking a field to be encrypted expands the field size to hold the extra space needed to store the encrypted data. The process of expanding the field size can take a long time depending on the number of records in the table.

Create an encryption configuration

Select the fields to be encrypted and identify the encryption type.

Before you begin

Role required: security-admin

Procedure

  1. Navigate to Edge Encryption Configuration > Edge Encryption Configurations > Create New.
  2. Fill in the fields on the form, as appropriate.
    Table 1. Edge Encryption configuration
    Field Description
    Table The table containing the field to be encrypted.
    Type Whether to encrypt a table column or attachments for the table. Select Column.
    Column The table field to be encrypted.

    This field appears when the Type is Column.

    Encryption type The encryption type to use.
    Note: A specific table and field combination can only have one active configuration at a time.
  3. Click Submit.

What to do next

After the encryption record has been added, you can create an encryption job to encrypt existing data. If you do not run an encryption job, the existing data is encrypted the next time it is changed.

Deactivate an encryption configuration

After configuring a field or a table's attachments to be encrypted, you can stop encryption by deactivating the encryption configuration. After deactivating encryption, you can run a Decryption job for fields or an Attachment Decryption job for attachments to remove the encrypted data from the instance.

Before you begin

Role required: security-admin

About this task

Warning: Deactivating an encryption configuration does not delete the encryption record and the encryption type cannot be changed.

Procedure

  1. Navigate to Edge Encryption Configuration > Edge Encryption Configurations > All.
    The Edge Encryption Configurations list is shown.
  2. Click on the encryption configuration to be deactivated.
    The Edge Encryption Configuration form is shown.
  3. Click on the Active box.
    The Active box is clear.
  4. Click Update.
    The Edge Encryption Configurations list is shown.

What to do next

You can run a Decryption or Attachment Decryption job to decrypt data on the instance. If you do not run a job, the encrypted data is decrypted the next time it is changed.

Schedule an encryption job

You can schedule a job to find and encrypt any unencrypted data in a specified field, using the default encryption key configured for the field. If you do not create an encryption job after configuring a field for encryption, the records are encrypted as they are saved to the instance.

Before you begin

Role required: security-admin

Procedure

  1. Navigate to Edge Encryption Configuration > Encryption Configurations > All.
  2. Click the field that you want to schedule an encryption job for.
  3. Under Related Links, click Schedule Mass Encryption Job.

    The Scheduled Encryption Job form is shown with all fields populated. The bottom of the form shows records for any previous job executions.

  4. Fill in the fields on the form, as appropriate.
    Field Value
    Name Enter a descriptive name.
    Active Clear this check box if you want to deactivate this job.
    Job Type Select Encryption.
    Table Select a table.
    Column Select a column.
    Run Select the period between job executions.
    Starting Enter the date and time to run the job for the first time.
  5. Click the menu icon in the form header and select Save.
  6. To see an estimated count of records to be updated, click Estimate Record Count.
  7. To run the job immediately, click Execute Now.

Schedule a decryption job

You can schedule a job to decrypt data in an encrypted field, to store clear data in the instance.

Before you begin

Note: You must mark the encryption record for the field as inactive (clear the Active box) before the decryption job runs, otherwise, nothing happens.

Role required: security-admin

Procedure

  1. Navigate to Edge Encryption Configuration > Encryption Configurations > All.
  2. Click the field that you want to decrypt.
  3. Under Related Links, click Schedule Mass Decryption Job.

    The Scheduled Encryption Job form is shown with all fields populated. The bottom of the form shows records for previous job executions.

  4. Fill in the fields on the form, as appropriate.
    Field Value
    Name Enter a descriptive name.
    Job Type Select Decryption.
    Active Clear this check box if you want to deactivate this job.
    Table Select a table.
    Column Select a column.
    Run Select the period between job executions.
    Starting Enter the date and time to run the job for the first time.
  5. Click the menu icon in the form header and select Save.
  6. To see an estimated count of records to be updated, click Estimate Record Count.
  7. To run the job immediately, click Execute Now.

This site is scheduled for a small content update on Monday, November 19th, between the hours of 3:30pm and 5:00pm Pacific Time (Nov 19 23:30 – Nov 20 1:00 UTC). Acces to this site may be slightly delayed during that time.