Encryption (Column Level): Product Documentation: Orlando Release
Encryption Support
Encryption Support, also known as column-level encryption, is a built-in feature which permits encryption of string, Date, Date/Time, or attachment fields using AES-128 or AES-256. You can encrypt existing non-system string fields or add new fields to use for encryption.
Implementation of column-level encryption begins with defining one or more encryption “contexts” in your instances of the Now Platform. This process includes selecting the desired encryption algorithm and providing an appropriate secret key. Access to data later encrypted using the feature is role-based, with contexts being associated with roles. Users without the correct role don't see the field at all, or if they are assigned a role with a different context, a blank field appears. Figure 1 illustrates how role-based encryption is enabled.
Platform Encryption: Quebec
https://docs.servicenow.com/bundle/quebec-platform-administration/page/administer/now-platform-encryption/concept/now-platform-encryption.html
Column Level Encryption and Platform Encryption
Platform Encryption with the Key Management Framework offers an alternative encryption solution to you compared to Column Level Encryption (CLE). See Understanding the Key Management Framework for details on how Platform Encryption with KMF compares to CLE.
See Cryptographic purpose, algorithms, and key information for encryption/decryption algorithms supported.
KMF in Platform Encryption vs. CLE (with encryption contexts)
Column Level Encryption (CLE) specifies encryption contexts for the creation of encryption keys. Contexts assign based on role to uses. These encryption contexts provide only rudimentary key management capabilities.
Platform Encryption is the successor to column level encryption using KMF and its full support of key management functions. Specifically, Platform Encryption utilizes KMF’s cryptographic modules, granting you more control of server-side encryption. KMF ensures proper data encryption key protection using key hierarchy and envelope encryption. Cryptographic modules use specifications and access policies with lifecycle management control over the key for the module, whether it's a ServiceNow key or your own customer supplied key.
The Encrypted Field Configuration form is used in both. With Platform Encryption, you choose the type of encryption: column encryption or attachment encryption.
- In the CLE model, encryption is performed via encryption contexts. Each context is mapped to a role, which is mapped to a user.
- With Platform Encryption, your instance encrypts data through cryptographic modules that you configure. You can create an access policy for each module based on role or resource exchange. See Understanding the Key Management Framework and Cryptographic module overview for an explanation of what modules are and how they work. See Create a cryptographic module and Create module access policy for instructions.
