Exploring Field Encryption

  • Release version: Zurich
  • Updated April 17, 2026
  • 2 minutes to read

    • Learn the details of Field Encryption Starter and Field Encryption Enterprise

    Encryption-backed access control

    By default, Field Encryption blocks all users, scripts, and system processes from accessing encrypted data. However, Field Encryption has an access control feature that is used in combination with, but also separate from, Access Control Lists (ACLs) to ensure only the correct users, scripts, or system processes can access encrypted data.

    You can configure the access control feature of Field Encryption through a combination of Field Encryption Modules, Encrypted Field Configurations, and Module Access Policies. The next image shows how these three components work together.

    Field encryption and supporting components

    By default, encrypted data is locked down from all access. A MAP defines which accessor (users, scripts, and system processes) can be authorized to access the data.

    Module access policy flow

    You can configure multiple MAPs to apply different access rules to different encrypted fields. In this diagram, Module Access Policy A covers columns A, B, C, and D, and Module Access Policy B covers column E — each with its own rules per accessor.

    Multiple module access policy example

    Access rules can differ between two policies for each accessor type. The following table reflects the access rules defined for Module Access Policy A, applied to columns A, B, C, and D, and Module Access Policy B, applied to column E.

    Accessor MAP A

    Columns A, B, C, D

    		 MAP B

    Column E
    Role A Allow Block
    Role B Allow Block
    Role C Block Allow
    Script A Allow Block
    Script B Block Block
    Script C Block Allow
    System Context Processes Block Allow

    Differences between Field Encryption Starter and Field Encryption Enterprise

    The feature-set is different between Field Encryption Starter and Field Encryption Enterprise.

    Feature Field Encryption Starter Field Encryption Enterprise
    Number of encrypted fields Up to 5 encrypted fields
    Note:
    Field Encryption Starter limits the number of encrypted fields, not encryption modules or contexts. Field Encryption replaces the deprecated Column Level Encryption product, which used a module and context-based limit.
    		 No restriction on number of encrypted fields
    Attachment encryption No Yes
    Key management None (Contact ServiceNow Support for key rotation) Manage keys from your instance with no involvement from ServiceNow Support
    Supported data types All supported data types All supported data types
    Number of Field Encryption Modules No restriction No restriction
    Number of Module Access Policies No restriction No restriction

    Field Encryption users

    Table 1. Users
    User Description
    Key Management Framework (KMF)Admin or KMF Cryptographic Manager These roles are used to configure elements of Field Encryption.
    • Field Encryption modules and module keys
    • Cryptographic Specifications
    • Module life-cycle policies
    • Encrypted field configurations for fields and attachments
    • Module Access Policies (MAPs)
    • Configures, wraps, and uploads customer supplied keys (for Field Encryption Enterprise)
    • Configures Access Observer and review Access Observer logs.
    • Schedule mass encryption, decryption, or re-keying
    KMF Cryptographic Operator Configures properties for customer supplied keys

    Field Encryption and record history

    Changes to fields encrypted with Field Encryption are not tracked in the activity stream for the record or in the record history [sys_history_set] table.

    Encryption on system tables

    Field Encryption currently doesn't support the encryption of fields and attachments of system tables (tables that begin with sys_).

    What to explore next

    To learn more about configuring and using Field Encryption, see: