Create Encrypted Field Configurations

  • Versão de lançamento: Australia
  • Atualizado 12 de mar. de 2026
  • 2 min. de leitura

    • Configure specific table fields to be encrypted using your External Key Management Service (EKMS) cryptographic module with external Amazon Web Services Key Management System (AWS KMS) key wrapping.

    Antes de Iniciar

    Roles required: admin, secuirty_admin, and sn_kmf.cryptographic_manager

    Confirm that you have created a cryptographic module with external key wrapping enabled. See Configure an external key definition.

    Por Que e Quando Desempenhar Esta Tarefa

    An Encrypted Field Configuration (EFC) connects a specific table column to your EKMS cryptographic module. EFC creates a secure encryption chain where your data can only be decrypted if both the ServiceNow data encryption key (DEK) and your external AWS key are available.

    Procedimento

    1. Navigate to All > System Security > Field Encryption > Field Encryption Enterprise > Configurations > Encrypted Fields.
    2. Select Create new.
    3. Complete the EFC form.
      Field Description
      Table Table whose fields or attachments are to be encrypted.
      Type

      Column to encrypt a table column or Attachment to encrypt all of a table's attachments.

      Types of data encrypted are:

      • String text (Full UTF-8)
      • Attachments
      • Date, Date/Time:
        Nota:
        You can create encrypted field configurations to encrypt existing Date and Date/Time fields. You can add a new encryption configuration to a parent table only. You can’t add a new encryption configuration to a child table.
      • URL
      • HTML
      • Journal
      • Translated
      Active Select to mark the configuration active. Deselect if the configuration isn’t yet in use.
      Column Column (field) to be encrypted if you selected column as the type.
      Encrypt by default Select this option to verify records that fall outside of the defined criteria are still encrypted by the default field encryption module. If you don't select this option, any records that fall outside of the condition builder criteria won't be encrypted.
      Field Encryption module The cryptographic module that the encrypted field configuration applies to.
      Nota:
      Verify that you select the crypto module that has the "External wrap key" flag enabled. Using a module without external wrapping encrypts data with ServiceNow's internal keys instead of your AWS KMS key.
      Method Select Single Module to set the field configuration across one module. Select Multiple Modules for role-based access that spans across more than one cryptographic module.
      Single Module
      Use this option to encrypt all attachments using a single module. Your users need access to this module, otherwise they aren't able to upload attachments.
      Multiple Modules
      Use this option to enable users to choose a module when uploading attachments. Users with access to one or more modules can select a module to use for encryption. Users with no module access can upload unencrypted attachments.
      Algorithm Encrypted Preserving

      [read-only]

      		 Indicates if the crypto module that you selected is already configured to support non-deterministic encryption. This means that if the same data is encrypted more than once, the encryption is different each time.
    4. Select Save.

    Resultado

    The field's data established by the EFC are encrypted using the Data Encryption Key (DEK) that is wrapped by your AWS KMS key.

    O que Fazer Depois

    Next steps:
    Aviso:
    Without configured module access policies, users might be unable to view the encrypted data, or access might be unrestricted depending on your system configuration. Configure access policies immediately after creating encrypted field configurations.