Exploring Column Level Encryption

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Column Level Encryption

    Column Level Encryption is a core feature that allows ServiceNow customers to encrypt data in their instances using AES128 or AES256 encryption algorithms. This feature enables the encryption of specific database fields and stored files through defined encryption contexts, where users can specify what data is encrypted and manage access based on user roles. Understanding role administration is crucial for managing access to encrypted data.

    Show full answer Show less

    Key Features

    • Role-Based Access: Control access to encrypted data through assigned user roles, enhancing security.
    • AES Encryption: Choose between AES-128 and AES-256 for robust data protection.
    • Module Access Policies (MAPs): Create up to 5 MAPs with standard Column Level Encryption, supporting system users, scripts, and resource exchange.
    • Field Types Support: Encrypt various field types, including string text, dates, attachments, and URLs, with additional support in the Enterprise version.
    • Equality Preserving Encryption: Allows encrypted values to remain the same for identical field values, enabling equality comparisons.
    • APIs for Data Manipulation: Use getDisplayValue() and setDisplayValue() APIs for handling cleartext and encrypted data.

    Key Outcomes

    With Column Level Encryption Enterprise, customers can encrypt more field types, support more than 5 MAPs, automate key rotation for enhanced security, and manage the lifecycle of encryption keys. The service also includes ephemeral keys for single-session use, increasing security. A guided tour is available for setting up Field Encryption Modules, MAPs, and encrypted field configurations, alongside access to detailed documentation and training resources.

    Learn more about Field Encryption.

    Column Level Encryption overview

    Column Level Encryption is a base system feature that permits encryption of data stored within an instance using AES128, or AES256.

    Column Level Encryption enables you to encrypt selected database fields and stored files through the use of encryption contexts. In these contexts you define what is encrypted, choose which algorithm to use, and supply the encryption key, which is stored within your instance.

    After the context is created, you can associate it to a user role. Users assigned to this role, either directly of through a group, are able to access the encrypted data.

    Because Column Level Encryption bases access to data on role assignment, it’s important to be familiar with administering roles on your instance. For more information, see Managing roles.

    Column Level Encryption benefits

    Benefit Feature Required Roles
    Configure access to your encrypted data based on assigned user roles. Role-based access to encrypted data security admin
    Protect your data using the Advanced Encryption Standard (AES). You can choose to use either the AES-128 or AES-256 encryption algorithms. AES Encryption security admin
    Create up to 5 modules and module access policies (MAP)s using the standard version of Column Level Encryption. MAPs expand on role-based access to allow considerations for:
    • System users
    • Scripts
    • KMF Resource Exchange
    Column Level Encryption Enterprise supports additional MAPs.    		 Support for up to 5 modules and module access policies (MAP)s security admin
    Encrypt common field types using the standard version of Column Level Encryption. Column Level Encryption Enterprise supports additional field types. Encryption for String text, Date and Date/Time fields, attachments, and URLs security admin
    Choose between standard and equality preserving encryption. When enabled, equality preserving encryption ensures that the encrypted value of a field is the same when the field value remains the same. This type of encryption enables equality comparisons and group by operations on a field.
    Note:
    Non-deterministic encryption isn’t supported.
    		 Equality preserving encryption support security admin
    Use getDisplayValue() and setDisplayValue() APIs to return cleartext values and insert encrypted data for encrypted fields. getDisplayValue() and setDisplayValue() APIs security admin, developer

    Field Encryption Enterprise benefits

    Column Level Encryption Enterprise builds on the existing Column Level Encryption framework and provides these additional features after you purchase a subscription.

    Benefit Feature Required Roles
    Encrypt additional field types. Support for additional field types:
    • HTML
    • Journal
    • Translated
    		 security admin
    Column Level Encryption Enterprise supports more than 5 modules and module access policies to provide more options for access to secured data. Support for additional modules and MAPs security admin
    Keys from a key vault can be rotated on an automated schedule you configure. Using automatic key rotation can improve security while reducing administrative overhead. Configurable automatic key rotation security admin
    Manage the full life cycle of your data encryption keys. Optionally, you can securely exchange data encryption keys generated within your environment. Customer supplied keys security admin
    Ephemeral keys are cryptographic keys that are generated for each execution of a cryptographic process. These keys more secure because they’re generated for use in a single session. Ephemeral cryptographic keys security admin
    Updated setDisplayValue() and setDisplayValue() APIs can insert encrypted data for encrypted fields. Updated getDisplayValue() and setDisplayValue() APIs security admin, developer