Field Encryption Enterprise

  • Release version: Zurich
  • Updated December 2, 2025
  • 6 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Field Encryption Enterprise

    Field Encryption Enterprise is an advanced encryption solution in ServiceNow based on the Key Management Framework (KMF). It enables customers to customize and manage encryption and decryption of fields and attachments within their instance. This enterprise version requires a subscription and offers enhanced key management, key protection, and encryption controls beyond the standard Field Encryption. It uses FIPS 140-2-L3 Hardware Security Modules (HSM) for secure key wrapping and aligns with NIST 800-57 practices.

    Show full answer Show less

    The solution supports both field-level and attachment encryption with flexible cryptographic modules and access policies, providing non-deterministic encryption for stronger security. It is designed for customers who need comprehensive encryption management, including key lifecycle operations like rotation and revocation, and supports customer-supplied keys (CSK) for greater control.

    Key Features

    • Key Management Framework (KMF): Provides key lifecycle management, key rotation, role segregation, secure key transfer between instances (Resource Exchange), CSK support, and auditing of key usage.
    • Customer-Supplied Keys: Allows the use of your own encryption keys with the ability to wrap, upload, and manage them on the ServiceNow platform.
    • Field and Attachment Encryption: Encrypts supported fields and attachments via Encrypted Field Configurations with no limit on the number of encrypted columns, unlike the standard version.
    • Non-Deterministic Encryption: Uses AES encryption with Cipher Block Chaining (CBC) to ensure ciphertext varies even when encrypting the same data multiple times, enhancing security.
    • Access Policies and Cryptographic Modules: Enables granular control over encryption keys and cryptographic operations through configurable modules and access policies based on scope, role, script, resource, exchange, system, and user.
    • Resource Exchange: Securely transfers encrypted keys between instances, ensuring confidentiality, integrity, and authentication.
    • Attachment Encryption by Default: Attachments in tables with active Encrypted Field Configurations are encrypted by default, with an option to opt out via ServiceNow support.
    • API Support: Offers APIs for changing encryption contexts and modules on attachments, disabling encryption, and getting or setting encrypted field values, facilitating integration and automation.
    • Supported Field Types: Includes attachments, dates, emails, HTML, journals, phone numbers, strings, translated fields, URLs, and more.

    Key Outcomes

    • Enhanced security and compliance with encryption aligned to federal and industry standards (FIPS 140-2-L3, NIST 800-57).
    • Complete control over encryption keys, including the ability to use your own keys and manage their lifecycle securely.
    • Scalable encryption support suitable for enterprise needs, with no limits on encrypted columns and support for both field and attachment encryption.
    • Improved data confidentiality through non-deterministic encryption methods.
    • Seamless and secure key exchange between ServiceNow instances, supporting complex deployment architectures.
    • Flexible administration through customizable cryptographic modules and access policies tailored to organizational roles and resources.
    • Automated encryption management via provided APIs, enabling developers and administrators to integrate encryption operations into workflows efficiently.

    Field Encryption Enterprise uses the Key Management Framework (KMF) to enable you to customize and manage how fields and attachments are encrypted and decrypted on your instance. A subscription is required to use Field Encryption Enterprise.

    Important:
    This topic covers the enterprise version of Field Encryption. For information on the standard version of Field Encryption, or to learn the differences between the two versions, see Exploring Field Encryption.

    Field Encryption Enterprise is premised with Field Encryption and uses the Key Management Framework and its full support of key management functions. Field Encryption Enterprise provides key-protection and key life-cycle management for application-level field encryption. All keys are protected with a key-wrapping hierarchy ultimately rooted in FIPS (Federal Information Processing Standards) 140-2-L3 Hardware Security Modules (HSM).

    Field Encryption Enterprise gives you the ability to manage how supported fields are encrypted and decrypted in accordance with NIST 800-57 practices. It also uses the most updated version of field-level encryption, including integration for proper key protection and management.

    Specifically, Field Encryption Enterprise uses the KMF encryption modules, granting you more control of server-side encryption. KMF verifies proper data encryption key protection using key hierarchy and envelope encryption. Your instance encrypts data through cryptographic modules that you configure. You can create an access policy for each module then configure cryptographic specifications and access policies and control key life-cycle management control.

    Field Encryption Enterprise supports module access policies based on:

    • Scope
    • Role
    • Script
    • Resource Exchange
    • System User
    See Create a module access policy for additional information.
    Note:
    For details on the supported features of Field Encryption and how to upgrade and subscribe to the Field Encryption Enterprise entitlement refer to Encryption and Key Management subscription bundle.

    Encryption terms

    Term Description
    Figure 1. Key management
    Key management\
    		Support for key management

    Fundamental to Field Encryption Enterprise is the Key Management Framework (KMF).

    Gain the following capabilities:
    • Key life-cycle management.
    • Key rotation. See Rotate keys for details.
    • Key protection and key generation with FIPS 140-2-L3 Hardware Security Modules (HSMs).
    • Segregation of roles and duties.
    • The secure transfer of data encryption keys between instances, such as production and non-production instances.
    • Customer Supplied Keys (CSK) with key-wrapping.
    • Non-deterministic encryption.
    • Mass encryption/decryption.
    • Auditing of key access/use.

    See Key Management Framework Reference for details.
    Figure 2. Customer-supplied key
    Customer-supplied key
    		Support for customer supplied keys

    One of the biggest benefits of Field Encryption Enterprise is that you can use your own keys for encryption. Administrators have the choice to use ServiceNow supplied keys or your own customer-supplied keys (CSK) for encryption on the ServiceNow AI Platform®.

    You can also manage the key life cycle and decide when to revoke, rotate, and inactivate the keys. After you enable customer-supplied keys and create a cryptographic module, you download a token and public ephemeral key. You use the token and public key to wrap your key and then upload to the instance. To use customer-supplied keys, see Configure field encryption settings to select key type and Using customer supplied keys with Field Encryption Enterprise.
    Figure 3. Field Encryption
    Field Encryption
    		Support for both field encryption and attachment encryption

    Both field encryption and attachment encryption use cryptographic modules and access policies through Encrypted Field Configurations. The Encrypted Field Configuration form is used to choose an encryption type of column or attachment encryption. See Set encrypted field configurations for more information and supported field types.
    Figure 4. Non-deterministic encryption
    Non-deterministic encryption
    		Support for non-deterministic encryption

    Field Encryption Enterprise supports non-deterministic encryption for enhanced security. If the system encrypts the same data more than once, the ciphertexts are different each time. Non-deterministic encryption is available with Advanced Encryption Standard (AES) encryption with Cipher Block Chaining (CBC).

    You can enable this feature through the Equality Preserving option on the Algorithm Definition stage of the cryptographic specification. Create a cryptographic specification for a crypto module and define an algorithm for encryption and generate the key.

    See Create a cryptographic module to define the mechanisms used for cryptographic operations and for more information on enabling non-deterministic encryption.
    Figure 5. Resource Exchange
    Resource Exchange

    Resource Exchange Field Encryption Enterprise keys instance to instance in a secure manner using the KMF cryptographic APIs to provide confidentiality, integrity, authentication, and non-repudiation. Resource Exchange is a KMF feature that gives you the capability to exchange resources between instances in a secure manner. See Key Management Framework Resource Exchange for details.
    Note:
    If you choose not to activate Field Encryption Enterprise, you can still use Field Encryption. See Exploring Field Encryption for information.

    Field Encryption Enterprise supports on-premise customers. It doesn’t support Domain Separation.

    Support for additional encrypted fields

    The standard version of Field Encryption is limited to five encrypted columns. Field Encryption Enterprise supports an unlimited number of encrypted columns.

    Supported field information

    The following field types can be encrypted:
    • Attachments
    • Date
    • Date/Time
    • Email
    • HTML
    • Journal
    • Journal Input
    • Journal List
    • Phone
    • String text
    • Translated Field
    • Translated HTML
    • Translated Text
    • URL

    Attachment Encryption

    Attachment encryption by default

    Customers using Field Encryption have attachments encrypted by default in tables that have an active Encrypted Field Configuration (EFC) type of Attachment.

    This default encryption defined by the EFC configuration means that it's not necessary for admins to manually declare that an attachment should be encrypted on upload for these tables.

    Administrators can disallow users from attaching unencrypted files
    For details, see Prevent users from attaching unencrypted files.
    Opt out of default encryption

    If you don’t want attachments encrypted by default based on EFC configuration, you can opt out of this option by contacting ServiceNow support.

    To opt out of this feature, create a support case with ServiceNow support, and include this statement in a comment on the case record:

    "I [customer name], understand that I am asking ServiceNow to turn off a recommended security best practice for attachments, and that [customer company] assumes any additional risk related to their configuration and use of unencrypted attachments in the ServiceNow application."

    API support

    Field Encryption Enterprise enables the following APIs.

    Note:
    The API behavior described in the following table represents the default configuration for the latest base system package. If you are working with older package versions, you may experience different functionality.
    Table 1. Field Encryption APIs
    API Description Parameters Return type
    changeEncryptionContext() Updates an active Encryption Context (EC) used to encrypt an attachment.

    When CLE is enabled with the CLE Starter plugin using KMF Crypto Module (CM), the API locates the CM for the EC and uses it to encrypt the attachment.

    Note:
    This API is only available in the Global scope.
    • sourceTable – Name of table that has the attachment.
    • sourceID – Table record system id.
    • attachmentID – The sys_attachment record system id.
    • newEncryptionContextID - System ID of the new context.
    		 Boolean
    changeCryptoModule() Updates an active encryption module used to encrypt an attachment.
    Note:
    This API is only available in the Global scope.
    • sourceTable – Name of table that has the attachment.
    • sourceID – Table record system id.
    • attachmentID – The sys_attachment record system id.
    • newCryptoModuleId - System ID of the new encryption module to encrypt the attachment.
    		 Boolean
    disableEncryption() Disable active encryption on an attachment.
    • sourceTable – Name of table that contains the attachment.
    • sourceID – Table record system id.
    • attachmentID – The sys_attachment record system id.
    		 Boolean
    getDisplayValue() Returns the cleartext display value of an encrypted field. String
    getValue() Returns the cleartext value of an ecrypted field when glide_encryption.set_value_support_cle.disabled is false (requires Module Access Policy (MAP)).

    Returns the encrypted value of an encrypted field when glide_encryption.set_value_support_cle.disabled is true.

    		 String
    setDisplayValue() Inserts encrypted data into an encrypted field for display purposes.
    • name – Field name.
    • value – Field value.
    		 Boolean
    setValue() Inserts encrypted data into an encrypted field, controlled by a system property.

    Encrypts data when glide_encryption.set_value_support_cle.disabled is false (requires MAP); writes unencrypted data when set to true (no MAP required), when glide_encryption.set_value_support_cle.disabled is true.
    • name – Field name.
    • value – Field value.
    		 Boolean

    The following script illustrates API changes when the Incident short description is encrypted:

    
var gr = new GlideRecord('incident'); //creates a new incident
gr.setValue('short_description','test123'); //sets the value to test123
var sys_ID = gr.insert(); //inserts the record in the Incident table.
gs.info(gr.getValue('short_description')); //displays the unencrypted value

    When the Field Encryption plugin is installed, glide_encryption.set_value_support_cle.disabled is set to false by default.