Encryption Release Notes

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Encryption Release Notes - Zurich

    The ServiceNow® Encryption Key Management application in the Zurich release enhances data protection through advanced encryption techniques, controlled key access, and adherence to NIST 800-57 key life-cycle management standards. It also features FIPS 140-2-L3 validated key protection to ensure robust security measures.

    Show full answer Show less

    Key Features

    • Row Conditions for Field Encryption: Define encryption rules dynamically for specific rows within a column based on conditions, enabling more granular and flexible data protection.
    • Attachment Encryption: Use any of the three available Field Encryption APIs to encrypt attachments, offering improved flexibility without dependency on a single API.
    • Upgrade to AES Encryption: The GlideEncrypter API now defaults to the Advanced Encryption Standard (AES) algorithm instead of 3DES for upgraded instances, aligning with NIST recommendations and enhancing security.
    • Column Level Encryption Upgrade: Column Level Encryption has been upgraded to the Key Management Framework Column Level Encryption (KMF-CLE), supporting stronger encryption algorithms and removing 3DES.

    Important Changes and Deprecations

    • 3DES Deprecation: ServiceNow has officially removed support for 3DES encryption in GlideEncrypter and encrypted string keys. Instances must transition to the Key Management Framework (KMF) format.
    • GlideEncrypter API: Not supported on new instances created with Zurich or later; existing instances upgrade to default AES encryption.

    Activation and Licensing

    The Platform Encryption subscription bundle includes Field Encryption Enterprise (an unlimited license version) and Cloud Encryption. Activation requires enabling the com.glide.now.platform.encryption plugin.

    Related Applications and Features

    • Key Management Framework (KMF): Provides customizable cryptographic operation management on your instance.
    • Code Signing: Creates digital signatures to verify data authenticity and integrity; licensed as part of the Vault module.
    • Cloud Encryption: Offers encrypted database storage using block encryption and enhanced key management, available with the Platform Encryption and Vault subscription bundles.

    Practical Impact for ServiceNow Customers

    Customers upgrading to or implementing the Zurich release will benefit from stronger encryption standards, improved flexibility with encryption APIs for attachments, and granular control over encrypted data via row conditions. They should plan to migrate away from deprecated 3DES encryption practices to maintain compliance and security. Activating the appropriate plugins and subscriptions ensures access to the full capabilities of enhanced encryption and key management.

    The ServiceNow® Encryption Key Management application protects your data by using encryption, tightly controlled key access, National Institute of Standards and Technology (NIST) 800-57-based key life-cycle management, and FIPS 140-2-L3 validated key protection. Encryption Key Management was enhanced and updated in the Zurich release.

    Encryption highlights for the Zurich release

    • Use row conditions for Field Encryption to define encryption rules for rows within a specific column, based on dynamic conditions.
    • Use any of the three Field Encryption APIs to encrypt attachments.

    See Encryption for more information.

    Important information for upgrading Encryption to Zurich

    For the GlideEncrypter API, NIST 800-131A Rev 2 has recommended against using the Triple Data Encryption Standard (3DES) encryption. The following changes are taking place in the Zurich release with the official removal of 3DES encryption for GlideEncrypter.
    • The GlideEncrypter API defaults to using the Key Management Framework (KMF) based algorithm, Advanced Encryption Standard (AES), for encryption and decryption operations for upgraded instances only.
    • For instances created with the Zurich release or later, this API isn’t supported.
    • Learn more about 3DES deprecation in KB1704481.

    In the Zurich release, Column Level Encryption has received a required upgrade to Key Management Framework Column Level Encryption (KMF-CLE) due to the platform-wide deprecation of 3DES. For more information about this upgrade, see KB1700704.

    New in the Zurich release

    Encrypt data using Row Conditions
    Use row conditions for Field Encryption to define encryption rules for rows within a specific column, based on dynamic conditions.

    Changed in this release

    Field Encryption Enterprise API

    Use all three Encryption APIs to encrypt on attachments, without needing to use any one specific API.

    Deprecations

    Prepare your instance for GlideEncrypter deprecation
    Encrypted string keys 3DES format is no longer supported. Key Management Framework (KMF) is the supported format.

    Activation information

    The Platform Encryption subscription bundle is a group commercial entitlement that includes Field Encryption Enterprise and Cloud Encryption.

    Field Encryption Enterprise is the unlimited license of Field Encryption. The Enterprise plugin is available with the activation of the com.glide.now.platform.encryption plugin. For details, see the Encryption and Key Management subscription bundle.

    Related ServiceNow applications and features

    Key Management Framework

    Encryption is a cryptographic procedure that converts plain text into cipher text, which helps prevent anyone but the intended recipient from reading that data.

    Key Management Framework Reference

    The Key Management Framework lets you fully customize and manage how cryptographic operations are performed on your instance.

    Code Signing

    Code Signing creates digital signatures for the data, which are later checked to confirm the authenticity and integrity of the data. Code Signing is a module licensed as a component of Vault.

    Cloud Encryption with Key Management

    Cloud Encryption offers encrypted storage for the database by using block encryption, with enhanced key management. Cloud Encryption is available with the Platform Encryption subscription bundle and the ServiceNow Vault subscription bundle.