Create Encrypted Field Configurations

  • Release version: Australia
  • Updated April 1, 2026
  • 2 minutes to read

    • Configure specific fields to be encrypted using your External Key Management Service (EKMS) cryptographic module with external Amazon Web Services Key Management System (AWS KMS) key wrapping.

    Before you begin

    Roles required: admin, security_admin, and sn_kmf.cryptographic_manager

    Confirm that you have created a cryptographic module with external key wrapping enabled. See Configure an external key definition.

    About this task

    An Encrypted Field Configuration (EFC) connects a specific table column to your EKMS cryptographic module. EFC creates a secure encryption chain where your data can only be decrypted if both the ServiceNow data encryption key (DEK) and your external AWS key are available.

    Procedure

    1. Navigate to All > System Security > Field Encryption > Encrypted Field Configurations > New.
    2. Complete the EFC form.
      Field Description
      Type

      Column to encrypt a table column or Attachment to encrypt all of a table's attachments.

      Types of data encrypted are:

      • String text (Full UTF-8)
      • Attachments
      • Date, Date/Time:
        Note:
        You can create encrypted field configurations to encrypt existing Date and Date/Time fields. You can add a new encryption configuration to a parent table only. You can’t add a new encryption configuration to a child table.
      • URL
      • HTML
      • Journal
      • Translated
      Table Table whose fields or attachments are to be encrypted.
      Column Column (field) to be encrypted if you selected column as the type.
      Active Select to mark the configuration active. Deselect if the configuration isn’t yet in use.
      Algorithm Encrypted Preserving

      [read-only]

      		 Indicates if the crypto module that you selected is already configured to support non-deterministic encryption. This means that if the same data is encrypted more than once, the encryption is different each time.
      Encrypt by default Select this option to verify records that fall outside of the defined criteria are still encrypted by the default field encryption module. If you don't select this option, any records that fall outside of the condition builder criteria won't be encrypted.
      Crypto module The cryptographic module that the encrypted field configuration applies to.
      Note:
      Verify that you select the crypto module that has the "External wrap key" flag enabled. Using a module without external wrapping encrypts data with ServiceNow's internal keys instead of your AWS KMS key.
      Method Select Single Module to apply this access policy to one cryptographic module. Select Multiple Modules to apply this access policy across multiple cryptographic modules.
      Single Module
      Use this option to encrypt all attachments using a single module. Your users need access to this module, otherwise they aren't able to upload attachments.
      Multiple Modules
      Use this option to enable users to choose a module when uploading attachments. Users with access to one or more modules can select a module to use for encryption. Users with no module access can upload unencrypted attachments.
    3. Select Submit.
      Completed EFC form.

    Result

    The field's data established by the EFC are encrypted using the Data Encryption Key (DEK) that is wrapped by your AWS KMS key.

    What to do next

    Next steps:
    Warning:
    Without configured module access policies, users might be unable to view the encrypted data, or access might be unrestricted depending on your system configuration. Configure access policies immediately after creating encrypted field configurations.