Exploring Edge Encryption

  • Release version: Australia
  • Updated March 12, 2026
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Edge Encryption

    Edge Encryption is a client-side network encryption system that encrypts and decrypts sensitive data within your own network before it travels to the ServiceNow cloud. It requires installation of a proxy application on your infrastructure, giving you full control of encryption keys, which never leave your network. This ensures that sensitive data remains encrypted during transit and storage, with no plaintext access by ServiceNow personnel or systems. Edge Encryption is an optional, add-on security feature designed to protect data end-to-end and enhance data privacy.

    Show full answer Show less

    Key Features

    • Proxy-based encryption: A ServiceNow-provided proxy installed in your network encrypts specified data fields and attachments before sending data to ServiceNow and decrypts it upon retrieval within your network.
    • Key management: You fully own and manage encryption keys locally; keys are never transmitted to ServiceNow.
    • Encryption methods: Supports AES-128 and AES-256 encryption with standard, equality-preserving, and order-preserving options.
    • Field and data type support: Encrypts string, date, date/time, email, URL, IP address, journal fields, and attachments. Service catalog variables of similar types can also be encrypted.
    • Tokenization patterns: Allows tokenization of data matching regular expressions such as social security or credit card numbers, supplementing field encryption.
    • Database requirements: A MySQL proxy database on your network is needed if using order-preserving encryption or tokenization patterns; cleartext values are stored locally and must be secured and backed up.
    • Integration with ServiceNow AI Platform: Acts as a secure gateway, encrypting outbound data and decrypting inbound data without exposing keys to ServiceNow.
    • Encryption rules and scripting: Enables custom scripts to define encryption logic for complex data structures.
    • Role-based access: Only users logged in via the proxy can view decrypted data; administration requires a designated securityadmin role.

    Considerations and Limitations

    • Performance impact: Adds an extra network hop and processing overhead, though delays are generally minimal.
    • Key management complexity: Managing encryption keys locally requires careful administration; only two active keys are supported at a time.
    • Functional restrictions: Because data is encrypted before reaching ServiceNow, certain platform functionalities and data processing capabilities may be limited.
    • Key assignment limitations: Cannot assign different keys to subsets of columns or user roles; a single key version is used for encrypting and decrypting relevant data.

    Implementation and Operational Requirements

    • You must install and maintain the Edge Encryption proxy server and, if needed, a proxy database within your network.
    • Network administration tasks such as hosting, routing, DNS configuration, backup, and security of the proxy environment are your responsibility.
    • Before enabling Edge Encryption, evaluate its impact on your instance processes and review system requirements, sizing, limitations, and key management procedures.
    • Edge Encryption requires installation of a ServiceNow plugin in your instance, which includes tables, properties, and roles for administration.

    Benefits for ServiceNow Customers

    • Complete control over sensitive data encryption and key management within your own infrastructure.
    • End-to-end encryption that prevents unauthorized access to sensitive information by ServiceNow or external parties.
    • Flexible encryption options that cover a wide range of field types and sensitive data, including attachments and complex data patterns.
    • Enhanced data security and compliance posture through client-side encryption and tokenization techniques.

    Edge Encryption is a network encryption system that resides on your network and that encrypts and decrypts sensitive data as it travels between your data center and the ServiceNow cloud.

    What is Edge Encryption

    Also referred to as ‘client-side’ encryption, Edge requires all bi-directional user traffic to pass through proxies that are maintained on your infrastructure. You have the full control over your key management because the keys are stored within your proxy on your infrastructure. The ServiceNow AI Platform can’t decrypt your ciphertext to access your keys.

    The Edge Encryption feature is an additional cost option that provides you with the ability to control the end-to-end encryption of your data and key management. Edge Encryption uses a proxy application, provided by ServiceNow and installed by you within your own network. This proxy application tokenizes specified data patterns or encrypts string fields, Date fields, Date/Time fields, and attachment data before it’s sent from your environment to your instance. The proxy application also decrypts the same data, again only within your own network, using keys stored only within your own network.

    The relevant encryption keys and configuration exist only on the Edge proxy within your network and aren’t visible to ServiceNow. The data is encrypted from the moment that it leaves your environment and is only decrypted upon retrieval. At no point is the data accessible in plaintext by ServiceNow systems or personnel.

    Who uses Edge Encryption

    Only a user logged in to the instance through a proxy server on your network can view encrypted data in clear text. Likewise, only a security_admin user logged in to an instance through a proxy server in your network can configure and administer Edge Encryption.

    Because the proxy server resides in your network, you own and manage the encryption keys, and they’re never sent to the instance. As a result, ServiceNow never shows sensitive data in clear text.

    In addition to the Edge proxy configuration and management of rules, you’re responsible for the usual requirements of operating a server within your environment (including hosting, routing, backup, DNS configuration, and so on) to enable and support your Edge proxies.

    Encryption and tokenization

    Edge Encryption supports both encryption (through encryption configurations) and tokenization (through encryption patterns) as a means of protecting your sensitive information.

    Encryption configurations
    You can encrypt individual fields using encryption configurations. Edge Encryption supports AES 128-bit and AES 256-bit encryption keys. Edge Encryption supports standard, equality-preserving, and order-preserving encryption types.
    In addition to attachments, you can encrypt the following field types:
    • Date
    • Email
    • Date/Time
    • IP Address
    • Journal
    • Journal Input
    • Multi-line text
    • Single-line text
    • String
    • URL
    Note:

    If a Journal field marked for encryption is added to the activity stream, all user input to the field is encrypted in the activity stream.

    Multi-byte characters within supported field types can be encrypted.

    You can also encrypt the following service catalog variable types:
    • String Types
      • Single-line text
      • Multi-line text
      • Wide single-line text
    • Date
    • Date/Time
    • URL
    • Email
    • HTML
    • IP Address
    Encryption patterns
    You can use encryption patterns to tokenize strings that match regular patterns such as social security and credit card numbers. While encryption configurations should be the primary method of encryption, use encryption patterns as a supplement to secure sensitive information found outside of encrypted fields.
    Note:
    The Edge Encryption proxy server requires a MySQL database in your network only if using order preserving encryption or encryption patterns. Clear text values are stored in the proxy database in your network. For this reason, it is critical that you secure and regularly back up your proxy database. For recommendations, see Edge Encryption components.

    Flow of data using Edge Encryption.

    Edge Encryption on the ServiceNow AI Platform

    Edge Encryption acts as a gateway between your browser and your ServiceNow instance. Traffic from your browser passes through the gateway on its way to the ServiceNow instance. The gateway, in turn, is configured to encrypt outbound data that is marked for encryption. Inbound traffic is decrypted through the gateway, and the end user sees clear text in the browser. The advantage of this implementation from a security control perspective is that the encryption and key management are handled externally from ServiceNow.

    Pros and cons

    As with Field Encryption Enterprise and Field Encryption, Edge Encryption imposes some functional limitations within an instance as a result of the additional security. The local Edge proxy does, however, also provide some additional functionality relating to sorting when compared to column-level encryption.

    Pros:
    • Edge Encryption provides absolute control of who sees your information and prevents data breaches.
    • Information remains on your proxy server and never leaves your network unencrypted.
    • Information is encrypted in transit, before it even reaches the ServiceNow instance.
    • You hold and manage all your own encryption keys. No one else, not even ServiceNow personnel, can access your keys.
    • You can choose the strength of the encryption algorithm: AES-128 or AES-256.
    • Edge Encryption includes the ability to encrypt String text, Date and Date/Time fields, attachments, URLs, and journals.
    • Edge Encryption provides Standard, Equality Preserving, and Order Preserving encryption of data at rest within the database and instance.
    • Encryption rules enable you to write custom scripts that tell the proxy server specifically what to encrypt and where to put that encrypted information in the instance. These scripts are useful when the data structure doesn't exactly match the ServiceNow instance.
    • Encryption patterns enable you to tokenize information such as passwords.
    Cons:
    • Edge Encryption requires an extra network hop through the Edge proxies cluster, and extra processing, which can add delay to traffic. The added processing delay of the Edge Encryption application is negligible compared to the network hop.
    • Maintaining your own encryption keys can be complex and time-consuming.
    • A maximum of two encryption keys can be active at any given time. You cannot assign different keys to specific subsets of columns, data categories, user roles, or access scopes. However, one key can encrypt certain columns while a different version of the same key can be used to decrypt others.
    • Edge Encryption has the side effect that the server or platform can't decrypt the data to perform any manipulation of the decrypted data. As a consequence, functionality and data processing on the ServiceNow AI Platform may be restricted when encrypting columns with Edge Encryption.

    What to know before you begin

    Because encryption and tokenization change the nature of your data, Edge Encryption can affect other instance processes. Before using Edge Encryption, carefully consider the impact on your instance.

    Because the proxy server is installed and maintained in your network, Edge Encryption requires network administration and management. Review the network requirements to ensure a smooth implementation.

    Review the following topics to understand the impact of Edge Encryption on your instance: