Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.

Encrypt fields using encryption configurations

Log in to subscribe to topics and get notified when content changes.

Encrypt fields using encryption configurations

Encrypt fields by creating encryption configurations.

To configure Edge Encryption, you must be connected to the instance through the proxy. Test all changes on a non-production instance before making the changes to the production instance.

Define encryption keys

After setting up one or more proxies and configuring a default encryption key, the instance verifies that the keys are available to all proxies. You cannot make an encryption key the default key unless all proxies have the key. Once a default key is defined, you can create encryption configurations.

Assign fields and attachments to be encrypted

Assigning fields and attachments to be encrypted means assigning an encryption type to the field or attachment. Before marking a field as encrypted, evaluate these issues.
  • Determine what system features might be impacted.
  • Examine all scripts for use of the field.
  • Make any desired adjustments to the field size. After a field has been configured for encryption, the field size cannot be changed.

Marking a field to be encrypted expands the field size to store the encrypted data. The process of expanding the field size can take a long time, depending on the number of records in the table.

Create an encryption configuration

Select the fields to be encrypted and identify the encryption type.

Before you begin

Role required: security_admin

Procedure

  1. Navigate to Edge Encryption Configuration > Edge Encryption Configurations > Create New.
  2. Complete the form.
    Field Description
    Table The table that contains the field to be encrypted.
    Type Whether to encrypt a table column or attachments for the table. Select Column.
    Column The field to be encrypted. Appears only when the Type is Column.
    Only String, Date, Date/Time, Journal, Journal Input, and URL fields are supported.
    • String and URL fields: You can add an encryption configuration to either a parent table or a child table.
    • Date and Date/Time fields: You can add an encryption configuration to a parent table only. You cannot add a new encryption configuration to a child table.
      Note: Depending on the number of records affected by the Date and Date/Time fields you are encrypting, it may take up to a few minutes to create the encryption configuration. Make sure that you create the encryption configuration for Date and Date/Time fields when transaction volume on the instance is low.
    Encryption type The encryption type to use.
    Note: A specific table and field combination can have only one active configuration at a time.
  3. Click Submit.

What to do next

After you add the encryption configuration record, you can create an encryption job to encrypt existing data. If you do not run an encryption job, Edge encrypts the existing data the next time the data changes.

Deactivate an encryption configuration

After configuring a field or a table's attachments to be encrypted, you can stop encryption by deactivating the encryption configuration. After deactivating encryption, you can run a Decryption job for fields or an Attachment Decryption job for attachments to remove the encrypted data from the instance.

Before you begin

Role required: security_admin

About this task

Warning: Deactivating an encryption configuration does not delete the encryption record and the encryption type cannot be changed.

Procedure

  1. Navigate to Edge Encryption Configuration > Edge Encryption Configurations > All.
    The Edge Encryption Configurations list is shown.
  2. Click on the encryption configuration to be deactivated.
    The Edge Encryption Configuration form is shown.
  3. Click on the Active box.
    The Active box is clear.
  4. Click Update.
    The Edge Encryption Configurations list is shown.

What to do next

You can run a Decryption or Attachment Decryption job to decrypt data on the instance. If you do not run a job, the encrypted data is decrypted the next time it is changed.

Schedule an encryption job

You can schedule a job to find and encrypt any unencrypted data in a specified field, using the default encryption key configured for the field. If you do not create an encryption job after configuring a field for encryption, only new values are encrypted.

Before you begin

Role required: security_admin

Procedure

  1. Navigate to Edge Encryption Configuration > Encryption Configurations > All.
  2. Click the field that you want to schedule an encryption job for.
  3. Under Related Links, click Schedule Mass Encryption Job.

    The Scheduled Encryption Job form is shown with all fields populated. The bottom of the form shows records for any previous job executions.

  4. Fill in the fields on the form, as appropriate.
    Field Value
    Name Enter a descriptive name.
    Active Clear this check box if you want to deactivate this job.
    Job Type Select Encryption.
    Table Select a table.
    Column Select a column.
    Estimated record count Total estimated number of records to process. Populates after selecting Estimate Record Count.
    Process Historical Records Select to process historical records in the Audit table if the field is audited. When encrypting historical records for a field in the Audit table, both new values and old values are encrypted.

    To learn more about audited fields, see Auditing.

    Estimate Maximum Audit Record Count Estimated maximum number of audited records to process. Populates after selecting Estimate Record Count. This field is only visible when Process Historical Records is selected.
    Note: The estimate may be larger than the actual number of records processed.
    Run Select the period between job executions.
    Starting Enter the date and time to run the job for the first time.
  5. Click the menu icon in the form header and select Save.
  6. To see an estimated count of records to be updated, click Estimate Record Count.
  7. To run the job immediately, click Execute Now.

Schedule a decryption job

You can schedule a job to decrypt data in an encrypted field, to store clear data in the instance.

Before you begin

Note: You must mark the encryption record for the field as inactive (clear the Active box) in order to run the decryption job.

Role required: security_admin

Procedure

  1. Navigate to Edge Encryption Configuration > Encryption Configurations > All.
  2. Click the field that you want to decrypt.
  3. Under Related Links, click Schedule Mass Decryption Job.

    The Scheduled Encryption Job form is shown with all fields populated. The bottom of the form shows records for previous job executions.

  4. Fill in the fields on the form, as appropriate.
    Field Value
    Name Enter a descriptive name.
    Job Type Select Decryption.
    Active Clear this check box if you want to deactivate this job.
    Table Select a table.
    Column Select a column.
    Estimated record count Total estimated number of records to process. Populates after selecting Estimate Record Count.
    Process Historical Records Select to process historical records in the Audit table if the field is audited. When encrypting historical records for a field in the Audit table, both new values and old values are encrypted.

    To learn more about audited fields, see Auditing.

    Estimate Maximum Audit Record Count Estimated maximum number of audited records to process. Populates after selecting Estimate Record Count. This field is only visible when Process Historical Records is selected.
    Note: The estimate may be larger than the actual number of records processed.
    Run Select the period between job executions.
    Starting Enter the date and time to run the job for the first time.
  5. Click the menu icon in the form header and select Save.
  6. To see an estimated count of records to be updated, click Estimate Record Count.
  7. To run the job immediately, click Execute Now.
Feedback