Exploring Database Encryption

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Database Encryption

    ServiceNow provides database encryption (DBE) and full-disk encryption solutions to help customers meet statutory data protection requirements by securing data at rest. Database Encryption uses symmetric AES-256 encryption to protect all stored data in real time, both online and offline, without impacting functionality. Full-disk encryption safeguards offline data from disk loss or theft. Note that starting with the Washington DC release, Database Encryption is being phased out in favor of Cloud Encryption with Key Management.

    Show full answer Show less

    Key Features

    • Encrypts all data stored in the database with AES-256 encryption, including new, changed data and associated log files (bin, redo, undo, error).
    • Decryption occurs in memory dynamically when records or tables are accessed, ensuring seamless user experience with no functionality loss.
    • Encrypts replication traffic and backups to maintain consistent data protection across all instances.
    • Supports both new and existing instances on supported ServiceNow AI Platform releases.
    • Implements a three-level key hierarchy for encryption key management:
      • Customer-specific AES-256 key encrypts data.
      • Second customer-specific AES-256 key protects the first-level key.
      • Third AES-256 key stored in FIPS 140 validated key management appliances secures the second-level key, unique per customer instance.
    • Supports a customer-controlled switch (DBE with CCS) option for customer-supplied keys, allowing encryption of all data-at-rest with AES encryption and no functional impact.
    • Instance cloning remains available with a minor performance impact of up to 5% when using Database Encryption.

    Key Outcomes

    • Ensures comprehensive encryption of data at rest across the ServiceNow platform, supporting compliance with data protection regulations.
    • Maintains operational performance and application functionality while providing strong encryption safeguards.
    • Enables secure key management through a multi-level hierarchy and FIPS-validated appliances, enhancing security posture.
    • Offers flexibility for customers to use their own encryption keys via the customer-controlled switch option.

    Additional Considerations

    Database Encryption is not supported on on-premise instances. Customers using their own encryption keys should refer to the Database Encryption with Customer Controlled Switch option. As the platform evolves, customers are encouraged to transition to Cloud Encryption with Key Management for data at rest encryption.

    ServiceNow® offers database encryption (DBE) and full-disk encryption methods for customers with statutory obligations for data protection which may require at-rest protection for all data.

    Important:
    Starting with the Washington DC release, Database Encryption is being prepared for future deprecation. Cloud Encryption is the replacement solution for data at rest encryption. For details, see Cloud Encryption with Key Management

    Database Encryption enables all data to be protected with symmetric AES-256 encryption, whether the database is online or offline. From the ServiceNow AI Platform perspective, all data flows in decrypted.

    • Database Encryption supports all stored data to be encrypted in real time providing protection for data online and offline with no loss of functionality.
    • Full disk encryption protects offline data if there is disk loss or theft.

    Database Encryption

    With Database Encryption, all stored data is encrypted and individual records or tables are decrypted in memory while being accessed. New or changed data is encrypted as it is entered into a table and associated activity log files (bin, redo, undo, and error) are also encrypted.

    Database Encryption is transparent to users, with no loss of functionality. When using this feature, all instances are encrypted, along with replication traffic and backups. Instance cloning is still available with a minor performance impact for using Database Encryption of up to 5%. Both new and existing instances on supported releases of the ServiceNow AI Platform can take advantage of database encryption.

    As illustrated, ServiceNow stores and manages keys using a three-level key hierarchy:

    Key management

    1. A customer specific AES-256 key is created by the database engine and is used to encrypt the data.
    2. A second customer specific AES-256 key is created by the database engine and is used to protect the first-level key.
    3. A third AES-256 key is created by and stored within FIPS 140 validated key management appliances in the ServiceNow datacenters. This key protects the second-level key and is unique per customer instance.

    The ServiceNow AI Platform also supports database encryption with a customer supplied switch, DBE with CCS. This is an encryption solution that encrypts all data-at-rest when not in use in the database. It uses industry standard AES encryption with no impact to functionality. The database encrypts data as it is written to the disk, and decrypts data as it is read from the disk. That means that applications always have the data in an unencrypted state to perform the necessary logic and functions without impact.

    Note:
    Database Encryption is not supported for on-premise instances.

    If you are using your own keys for database encryption, see Database Encryption with Customer Controlled Switch.