Cloud Encryption with Key Management

  • Release version: Zurich
  • Updated May 21, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Cloud Encryption with Key Management

    ServiceNow® Cloud Encryption provides encrypted storage at the database level using block encryption, coupled with advanced key management capabilities. It is included with the ServiceNow® Platform Encryption subscription bundle and supports enhanced security features such as segregation of duties and key rotation. Cloud Encryption is available for both production and non-production instances using MariaDB and RaptorDB databases, and is supported across key ServiceNow cloud environments including Commercial Cloud, Government Customer Cloud pod 101, and the ServiceNow Protected Platform – Australia.

    Show full answer Show less

    Key Features

    • Key Management Options: Supports ServiceNow-managed keys with automatic rotation and customer-managed keys where customers control key operations but ServiceNow retains the keys on its infrastructure. Customers can bring their own key material (BYOK), rotate keys, or withdraw keys as needed.
    • Cloud Encryption Key Management Module: Includes submodules for key management operations (viewing and managing keys, performing key rotations, withdrawing keys), key management transactions (logging all key-related transactions), and BYOK functionality.
    • Key Withdrawal and Quorum Control: Customers using customer-managed keys can request key withdrawal by licensing an optional add-on (Cloud Encryption Withdraw and Resupply SKU). This enables the Quorum Control Policy, which enforces a minimum number of approvals for key withdrawal operations, enhancing security governance.
    • Security Enhancements: Supports tamper detection to identify unauthorized changes to quorum control settings and offers comprehensive logging for Cloud Encryption activities.
    • Access and Roles: The Cloud Encryption UI is accessible to securityadmin users with the snkmf.admin role, allowing them to manage encryption keys and view encryption status for their instance.

    Licensing and Enablement

    Cloud Encryption requires the Platform Encryption subscription bundle. For new instances under this subscription, Cloud Encryption is provisioned by default. Existing instances can be migrated to Cloud Encryption by submitting a request via ServiceNow’s Service Catalog, requiring either a customer admin or partner admin role. Enabling Cloud Encryption involves scheduling a one-hour maintenance window.

    Practical Benefits for ServiceNow Customers

    • Ensures data at rest is securely encrypted, meeting compliance and security best practices.
    • Provides flexibility and control over encryption keys, including the ability to bring your own keys and manage key lifecycle operations directly.
    • Improves operational security with segregation of duties, tamper detection, and quorum controls for sensitive key withdrawal processes.
    • Offers visibility and auditability of all key management transactions for compliance and troubleshooting.

    ServiceNow® Cloud Encryption offers encrypted storage for the database using block encryption, along with enhanced key management. Cloud Encryption is available with the ServiceNow® Platform Encryption subscription bundle.

    Cloud Encryption offers:
    • Segregation of duties.
    • Rotation of ServiceNow Managed keys.
    • Customer-Managed keys option.
      Note:
      With customer-managed keys, ServiceNow holds the encryption key on its infrastructure, but you perform key operations on it. Managing your key means you can bring your own key material (BYOK), rotate ServiceNow-managed or customer-managed keys, and withdraw your key. Keys aren't hosted on your own infrastructure. See Key management operations for details.

    The following diagram shows how Cloud Encryption works.

    Cloud Encryption overview diagram
    The Cloud Encryption Key Management module consists of the following submodules:
    • Key management operations:
      • Access the list of keys.
      • Perform key rotation operations.
      • Withdraw customer-managed key.
    • Key management transactions:

      Reference all transactions that have occurred for the keys that have been used. Bring your own encryption key (BYOK) for use with Cloud Encryption.

      Use your own customer-managed key for encryption.

    In certain circumstances, you may opt for a key withdrawal request when using a customer-managed key. To do so, you must license the Cloud Encryption Withdraw and Resupply optional add-on SKU and then request the key withdrawal functionality be activated by a Customer Service and Support team member.

    The Quorum Control Policy Settings option becomes available when the withdrawal feature is activated, otherwise the module isn’t visible on the menu. This feature can be activated only when using customer-managed keys. This policy enables settings to be configured regarding quorum when the withdrawal feature is activated. For more details on this feature, see Quorum Control Policy.

    Cloud Encryption supports production and non-production instances for MariaDB and RaptorDB databases. Cloud Encryption is supported in the ServiceNow Commercial Cloud, Government Customer Cloud (GCC) pod 101, and ServiceNow Protected Platform – Australia (SPP-AU).

    Licensing and enabling Cloud Encryption

    For information about licensing Cloud Encryption, see Encryption and Key Management subscription bundle.

    For licensed customers with new instances, the new instance provisioning will include Cloud Encryption.

    For licensed customers with existing instances, to request an instance be moved to Cloud Encryption, follow the instructions in KB1117369. You must have the customer admin or partner admin role to request the Service Catalog item to Enable Cloud Encryption on your instance. Enabling this feature requires a one-hour maintenance window.

    Cloud Encryption UI

    When Cloud Encryption is enabled, the Cloud Encryption user interface (UI) is visible to the security_admin user when this user has the sn_kmf.admin role.

    To access the Cloud Encryption UI by searching for Cloud Encryption Key Management in the navigation bar. Navigate to the Key Management Operations section to see information about encryption keys, such as details of the active key, and whether Cloud Encryption is enabled for the instance.