Cloud Encryption logging

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Cloud Encryption logging

    Cloud Encryption logging in ServiceNow Zurich release provides detailed tracking of key management and lifecycle events. This logging capability helps administrators monitor encryption key operations such as creation, rotation, and withdrawal by capturing relevant metadata, transaction details, and audit trails within specific system tables.

    Show full answer Show less

    Key Features

    • Cloud Encryption Metadata ([darekeymetadata]): Stores key lifecycle management metadata including key origin, activation date, state, and version. It is updated after every key operation to reflect current key status.
    • Key Management Transactions ([darekeyrequest]): Records detailed logs of each key management transaction step, including states, statuses, and any errors encountered. Completed requests remain stored with their final status.
    • Sys Audits ([sysaudit]): Tracks inserts and updates to audited records, including changes made to the Cloud Encryption Metadata table. This allows administrators to see what changes were made, when, and by whom, including field-level old and new values.

    Practical Use for ServiceNow Customers

    • Monitor Key Rotation: Use the [darekeymetadata] table to track the lifecycle state changes during key rotation (e.g., from active to rotated) and version updates (e.g., from active to retired). The [darekeyrequest] table provides step-by-step transaction status for rotation requests.
    • Audit Key Changes: The [sysaudit] table allows administrators to audit changes to key metadata records, such as status updates from processing to completed, providing an audit trail for compliance and troubleshooting.
    • Track Key Withdrawal: Key withdrawal operations are logged with lifecycle state changes (e.g., generated to active to destroyed) and version states (e.g., unknown to active to retired). The [sysaudit] table records who initiated the withdrawal and when, ensuring full transparency of key destruction activities.

    Key Outcomes

    By leveraging these logging tables, ServiceNow customers can maintain comprehensive visibility into their cloud encryption key management processes. This transparency supports operational control, security compliance, and efficient troubleshooting of encryption key lifecycle events.

    Learn about logging options for Cloud Encryption.

    Cloud Encryption logging tables

    Use these tables to find logging information related to Cloud Encryption transactions on your instance.

    Table Description
    Cloud Encryption Metadata [dare_key_metadata] Cloud Encryption Metadata captures key life-cycle management metadata. On this table you can find key life-cycle, state, and version information. This table is updated after each key operation.
    Key Management Transactions [dare_key_request] Key Management Transactions captures key management transaction information. On this table you can find logging for each step of a transaction. The table records any error information for a transaction in the error message field.
    Sys Audits[sys_audit] The Sys Audits table captures inserts and updates to all audited records on your instance. On this table you can find changes to records on your instance, when the changes were made, and which user account initiated the change.

    Monitor key rotation operations

    Use the Cloud Encryption Key Metadata [dare_key_metadata] table to find information on the life-cycle of your key. In this table you can find information like the origin, activation date, state, and version of your keys.

    Use the Key Management Transactions [dare_key_request] table to monitor transactions of key operations. In this table you can find all requests relating to your keys, including the state, status, and which step in the process the request is in. Completed requests are retained on this table with the Completed status.

    This example shows a key rotation operation. During this operation, the old key life- cycle state updates from active to rotated, and the version state updates from active to retired.

    Figure 1. Key definition for a rotated key
    Key definition for a withdrawn key

    Looking at the Sys Audits[sys_audit] table, admins can see changes made to records on the Cloud Encryption Key Metadata [dare_key_metadata] table. Admins can see which records were updated and when. The log entries also record the field that was changed, and the old and new values.

    Figure 2. Audit logs for a withdrawn key
    Key definition for a withdrawn key

    Admins can view the records on the Cloud Encryption Key Metadata [dare_key_metadata] table. In the audit records below, the request status was changed from processing to completed.

    Figure 3. Audit logs for a withdrawn key
    Key definition for a withdrawn key

    Logging for key withdrawal operations

    Logging information on key withdrawal is stored in the Audits [sys_audit] table. This logging information contains information on who initiated the key withdrawal and when the withdrawal took place.

    This example shows a key withdrawal operation. During this operation, the key lifecycle state updates from generated, to active, to destroyed. The key version updates from unknown, to active, to retired.

    Figure 4. Key definition for a withdrawn key
    Key definition for a withdrawn key

    Looking at the Sys Audits[sys_audit] table, admins can the Cloud Encryption Key Metadata [dare_key_metadata] table changes.

    Figure 5. Audit logs for a withdrawn key
    Key definition for a withdrawn key