Cloud Encryption logging

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Cloud Encryption logging

    This documentation explains the logging options available for Cloud Encryption within your ServiceNow instance. It details key tables where Cloud Encryption transaction logs are stored and how you can monitor key lifecycle and transaction states, including operations like key rotation and withdrawal.

    Show full answer Show less

    Logging Tables and Their Uses

    • Cloud Encryption Metadata [darekeymetadata]: Stores metadata related to key lifecycle management such as key origin, activation date, state, and version. This table is updated after every key operation.
    • Key Management Transactions [darekeyrequest]: Captures detailed transaction information for key management processes, including the state and status of each request and any error messages. Completed transactions are retained here.
    • Sys Audits [sysaudit]: Records inserts and updates on all audited records across your instance, including changes made to Cloud Encryption metadata. It logs who made the change, when it was made, the fields changed, and the old and new values.

    Monitoring Key Operations

    To monitor key rotation:

    • Use the darekeymetadata table to track lifecycle changes such as a key moving from active to rotated, and version changes from active to retired.
    • Use the darekeyrequest table to follow each step of key management transactions and verify their completion status.
    • Review the sysaudit table for audit logs showing who updated key records and details of changes during rotation.

    For key withdrawal operations:

    • Withdrawal details are logged primarily in the sysaudit table, capturing the initiator and timing of the withdrawal.
    • Key lifecycle states update from generated to active to destroyed, and version states update from unknown to active to retired, visible in the darekeymetadata table.
    • Audit logs provide a detailed history of changes related to key withdrawal.

    Practical Benefits for ServiceNow Customers

    These logging capabilities allow administrators to effectively track and audit Cloud Encryption key lifecycle events and transactions, ensuring visibility and control over key management processes. By leveraging these tables, you can maintain compliance, troubleshoot issues, and verify operational status of encryption keys within your ServiceNow instance.

    Learn about logging options for Cloud Encryption.

    Cloud Encryption logging tables

    Use these tables to find logging information related to Cloud Encryption transactions on your instance.

    Table Description
    Cloud Encryption Metadata [dare_key_metadata] Cloud Encryption Metadata captures key life-cycle management metadata. On this table you can find key life-cycle, state, and version information. This table is updated after each key operation.
    Key Management Transactions [dare_key_request] Key Management Transactions captures key management transaction information. On this table you can find logging for each step of a transaction. The table records any error information for a transaction in the error message field.
    Sys Audits[sys_audit] The Sys Audits table captures inserts and updates to all audited records on your instance. On this table you can find changes to records on your instance, when the changes were made, and which user account initiated the change.

    Monitor key rotation operations

    Use the Cloud Encryption Key Metadata [dare_key_metadata] table to find information on the life-cycle of your key. In this table you can find information like the origin, activation date, state, and version of your keys.

    Use the Key Management Transactions [dare_key_request] table to monitor transactions of key operations. In this table you can find all requests relating to your keys, including the state, status, and which step in the process the request is in. Completed requests are retained on this table with the Completed status.

    This example shows a key rotation operation. During this operation, the old key life- cycle state updates from active to rotated, and the version state updates from active to retired.

    Figure 1. Key definition for a rotated key
    Key definition for a withdrawn key

    Looking at the Sys Audits[sys_audit] table, admins can see changes made to records on the Cloud Encryption Key Metadata [dare_key_metadata] table. Admins can see which records were updated and when. The log entries also record the field that was changed, and the old and new values.

    Figure 2. Audit logs for a withdrawn key
    Key definition for a withdrawn key

    Admins can view the records on the Cloud Encryption Key Metadata [dare_key_metadata] table. In the following audit records, the request status was changed from processing to completed.

    Figure 3. Audit logs for a withdrawn key
    Key definition for a withdrawn key

    Logging for key withdrawal operations

    Logging information on key withdrawal is stored in the Audits [sys_audit] table. This logging information contains information on who initiated the key withdrawal and when the withdrawal took place.

    This example shows a key withdrawal operation. During this operation, the key lifecycle state updates from generated, to active, to destroyed. The key version updates from unknown, to active, to retired.

    Figure 4. Key definition for a withdrawn key
    Key definition for a withdrawn key

    Looking at the Sys Audits[sys_audit] table, admins can the Cloud Encryption Key Metadata [dare_key_metadata] table changes.

    Figure 5. Audit logs for a withdrawn key
    Key definition for a withdrawn key