This article is on migrating ServiceNow encrypted data from one instance to another using Precision Bridge.
Overview
ServiceNow has several distinct encryption methods. Because Precision Bridge communicates exclusively via the SOAP and REST APIs, the encryption type configured on an instance directly affects whether data can be read and written successfully. This article covers what each method means for a Precision Bridge migration.
Encryption Methods at a Glance
| Type | Keys Live | Visible via API? | Precision Bridge Impact |
|---|---|---|---|
| Full-Disk Encryption | Storage hardware | No | None — fully transparent |
| Database Encryption | Database layer | No | None — fully transparent |
| Column-Level (CLE) | Inside ServiceNow instance | Yes — ciphertext by default | Requires configuration — see below |
| Platform / Field Encryption (CLEE) | ServiceNow KMF / BYOK | Yes — ciphertext by default | Requires configuration — see below |
| Edge Encryption | On-prem proxy (customer-owned) | Always ciphertext | Not natively supported — see below |
A note on ServiceNow Vault: Vault is a product suite, not a standalone encryption method. It bundles Platform Encryption, Data Privacy, Zero Trust Access, and other security features. If your ServiceNow administrator refers to "Vault", the relevant component for Precision Bridge migration purposes is Platform Encryption (CLEE), covered below. Note that Database Encryption reached end-of-renewal in March 2024 and is no longer available for new customers; Edge Encryption is in end-of-renewal status with a planned end-of-life in December 2028.
Full-Disk and Database Encryption
Both operate below the application layer and are completely transparent to Precision Bridge. No special configuration is required — data is read and written normally.
Note: Administrators sometimes use these terms interchangeably. Both behave identically from a migration perspective.
Column-Level (CLE) and Platform Encryption (CLEE)
These encrypt specific fields and attachments at the application layer. Access is role-based — the Precision Bridge service account must hold the correct encryption context role on both instances, otherwise encrypted fields will return corrupt or empty data silently.
Migration requirements:
- Assign the encryption context role to the Precision Bridge service account on both source and target instances.
- The target instance must have an identical encryption context (same algorithm and key) configured before migration begins.
- For CLEE with customer-supplied keys (BYOK), the key must be available to the target's Key Management Framework before any data is written.
- Where the target instance has encrypted fields, confirm the Precision Bridge service account holds the encryption context role on the target — absence of errors does not confirm data has been encrypted on write.
Important: Encrypted fields are not written to audit history. Do not rely on history tables to validate migration completeness.
Edge Encryption
Edge Encryption is a proxy-based solution where data is encrypted before it leaves the customer's network — ServiceNow never holds the decryption key. Encrypted data is stored in the instance and cannot be decrypted by the API.
It is recommended to route through the proxy — Configure Precision Bridge traffic to pass through the Edge proxy so encryption/decryption is handled transparently. This may requires network and proxy changes.
Attachment Encryption
Attachment encryption is configured independently of field encryption in ServiceNow — encrypting fields on a record does not automatically encrypt its attachments. The behaviour through Precision Bridge (which uses the Attachments API to extract and create attachments) depends on the encryption method in use.
Full-Disk / Database Encryption: Transparent, as with field data. No special handling required.
Column-Level / Platform Encryption (CLE / CLEE): Attachment encryption must be explicitly enabled and uses the same context and role model as field encryption. The Precision Bridge service account must hold the correct encryption context role, and the target instance must have an identical context configured before attachments are migrated. Attachment encryption is not covered automatically by field migration — it must be verified and tested separately.
Edge Encryption: Edge Encryption encrypts the entire attachment binary before upload, rather than individual field values. Even if your Edge proxy is correctly handling field-level API traffic, this does not guarantee it will correctly intercept and decrypt binary attachment streams from the Attachments API endpoint, as proxy configurations often treat these differently.
Before assuming the proxy route covers attachments:
- Test an encrypted attachment end-to-end via the Attachments API specifically — do not rely on successful field migration as confirmation
- Confirm with your ServiceNow administrator that the Edge proxy configuration explicitly covers attachment endpoints
Pre-Migration Checklist (CLE / CLEE)
- Identify all encrypted tables, fields, and attachments on the source instance
- Assign the encryption context role to the Precision Bridge service account on both instances
- Confirm the target has an identical encryption context (algorithm + key)
- For BYOK: confirm the customer key is available to the target KMF
- Run a small batch test before full migration
- Validate migrated records without relying on audit history
- Handle attachment encryption separately — it is not covered automatically
FAQs
Will Precision Bridge detect encrypted fields automatically? No — it retrieves whatever the instance returns. Incorrect roles produce silent ciphertext or empty values with no error.
What happens if I migrate without the correct role configured? Encrypted fields are written to the target as unreadable ciphertext. The data will appear corrupt and cannot be recovered without the original key.
Comments
0 comments
Please sign in to leave a comment.