Edge Encryption limitations

  • Release version: Xanadu
  • Updated August 1, 2024
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Edge Encryption limitations

    Edge Encryption enhances data security in your ServiceNow instance by encrypting specific fields. However, it imposes important functional and configuration limitations that impact system behavior, filtering, searching, and integration. Understanding these constraints helps ensure you use encryption effectively without disrupting key processes.

    Show full answer Show less

    Field and Configuration Restrictions

    • Only select field types can be encrypted, including Date, Email, Date/Time, HTML, IP Address, Journals, Multi-line text, Single-line text, String, and URL fields.
    • Fields that cannot be encrypted include choice fields, virtual fields, most system fields except some in sysuser, number fields, auto-numbering fields, and others not listed as supported.
    • Encrypting Journal fields disables the Post button and encrypted fields are not available in Go to or header filter boxes.
    • When encrypting indexed fields, only order-preserving and equality-preserving encryption types are allowed; standard encryption cannot be used on indexed fields.
    • Encryption configurations cannot be deleted once added; to remove encryption, deactivate the configuration and run a decryption job.
    • Encryption inheritance rules apply: encrypting a field in a parent table encrypts it in all child tables; encrypting the field in a child table blocks encryption in the parent table.
    • Inherited Date and Date/Time fields cannot be encrypted and are not available for encryption configuration.
    • Fields with encryption cannot be imported with data, and exported data remains encrypted even when exported through a proxy.

    Filtering and Searching Limitations

    • Standard encryption disables filtering options for encrypted String, Date, Date/Time, and URL fields.
    • Equality-preserving encryption supports basic equality operators (is, is not, is empty, is not empty).
    • Order-preserving encryption adds greater than/less than filters for String fields and date comparison operators for Date/DateTime fields.
    • Date and Date/Time pickers must be used for filtering encrypted date fields.
    • List filters support exact matches only when filtering encrypted fields.

    Instance and Functional Impacts

    • Back-end logic including business rules and scripts cannot process encrypted data correctly, except for equality and order equivalence checks with certain encryption types.
    • Email processing bypasses the Edge proxy, so inbound emails are not encrypted/decrypted, and outbound emails remain encrypted and unreadable.
    • Server-side scripts cannot modify encrypted fields.
    • Global search is unsupported on encrypted data and may yield unreliable results.
    • Copy-pasting encrypted data into unencrypted fields is not allowed.
    • User interface functionality such as sorting, grouping, and searching is reduced depending on the encryption strength.
    • Only Java KeyStore, SafeNet, and Unbound Technology are supported for encryption key management; no other third-party solutions are compatible.
    • Multiple Edge Encryption proxies can connect to one instance but must be managed individually; cluster management features are unavailable.
    • System performance can be affected by workload and the number of encrypted fields.
    • Oracle database instances have additional limits: encrypted String fields over 2925 characters cannot be sorted, and only Unicode AL32UTF8 charset is supported.
    • Encrypted data cannot be used in reports, and Edge Encryption is incompatible with Data Archiving.
    • Batch REST API requests cannot be encrypted by the proxy; REST batching must be disabled via system property.

    Edge Encryption impacts system functions. Carefully evaluate the impact of encrypting a field.

    Field type restrictions

    You can encrypt only the following field types:
    • Date
    • Email
    • Date/Time
    • HTML
    • IP Address
    • Journal
    • Journal Input
    • Multi-line text
    • Single-line text
    • String
    • URL
    You cannot encrypt the following field types:
    • Choice fields
    • Virtual fields
    • Fields in system tables, except for certain fields in sys_user
    • System fields in tables
    • Number fields or fields associated with an auto-numbering scheme
    • Any other field type not listed above
    Additional restrictions:
    • When a Journal field is encrypted, the Post button is inactive, even if there are multiple Journal fields and only one of those fields is encrypted.
    • Encrypted fields aren’t available in Go to and header filter boxes.
    • When encrypting fields used as an index, you can use only order-preserving and equality-preserving encryption types. Indexed fields can’t be encrypted using the standard encryption type.

    For more information, see Field types.

    Filtering and searching restrictions

    Standard encryption
    When you select a String, Date, Date/Time, or URL field with a standard encrypted field configuration as the left operand in a filter, no filtering options are available.
    Equality-preserving encryption
    When you select a String, Date, Date/Time, or URL field with an equality-preserving encrypted field configuration as the left operand in a filter, the following operators are available:
    • is
    • is not
    • is empty
    • is not empty
    Order-preserving encryption
    When you select a String field with an order-preserving encrypted field configuration as the left operand in a filter, the following operators are available, in addition to is, is not, is empty, and is not empty:
    • greater than
    • less than
    When you select a Date or Date/Time field with an order-preserving encrypted field configuration as the left operand in a filter, the following operators are available, in addition to is, is not, is empty, and is not empty:
    • after
    • before
    • after or on
    • before or on
    Date and Date/Time pickers

    For Date fields, use the date picker to specify the date: Date picker

    For Date/Time fields, use the date and time picker to specify the date and time:Date/Time picker

    List condition filters
    The Show Matching and Filter Out options are supported in lists. Only exact matches are returned or filtered out.
    Note:
    Adding encrypted fields in condition filters is supported in scripts such as UI policies and business rules.

    Configuration restrictions

    Restrictions and behavior of encryption configurations:
    • After you add a field to the Edge Encryption Configuration table, you can’t delete the configuration record. If you no longer want a field to be encrypted, deactivate the record in the Edge Encryption Configuration table and schedule an encryption job to decrypt the data.
    • If a field in a parent table is marked to be encrypted, the field is also encrypted in all inherited tables. For example, if the Short description field in the Task table is encrypted, then the contents of the Short description field in the Incident table are encrypted.
    • If a field inherited from a parent table is marked to be encrypted, the field in the parent table can’t be encrypted. For example, if the Short description in the Incident table is marked to be encrypted, then the Short description in the Task table can’t be encrypted. In this example, you can encrypt the Short description in the Problem table.
    • When a field with an encryption configuration defined is exported to any format, the output includes encrypted values even when exported through the proxy server.
    • You can’t import data to a field with an encryption configuration defined.
    • You can’t encrypt inherited Date and Date/Time fields. Date or Date/Time fields inherited from a parent table aren’t listed on the Column field drop-down list, and you can’t create Date or Date/Time encryption configurations for those fields.
    • You can encrypt a String or URL field only from a parent table or a child table, but not both.

    Instance restrictions

    Impact of using Edge Encryption on the instance:
    • Back-end logic can’t process encrypted data. When the instance contains encrypted data, any business rule, back-end script, or back-end feature that relies on evaluating the data in the encrypted field doesn’t run correctly.
      Note:
      Data encrypted with equality-preserving or order-preserving encryption still passes equivalence checks when compared against an identical encrypted value.
    • Since email processing goes from the mail systems straight to the instance and can’t pass through the Edge proxy, data sent in or out via email can’t be encrypted or decrypted by the Edge proxy.
      • Data and attachments in inbound emails aren’t encrypted.
      • Data and attachments in outbound emails remain encrypted and can’t be decrypted.
    • Scripts run on the server can’t change encrypted data.
    • Global search isn’t supported. Because global search attempts to search both encrypted and clear text data, the results may not be as expected.
    • Encrypted data can’t be copied and pasted into a record where the field isn’t encrypted.
    • Depending on the type of encryption selected, the user interface functionality for the encrypted fields is reduced. For example, being able to compare, group by, sort, and search may be impacted. Generally, the stronger the encryption selected, the more functionality is reduced.
    • Except for Java KeyStore, SafeNet, and Unbound Technology, no third-party software or hardware encryption key management is supported.
    • Although multiple proxy servers connected to a single instance are supported, encryption proxy cluster management and monitoring aren’t available. Each proxy must be managed separately.
    • System configurations such as workload and the number of encrypted fields can impact the performance of encrypted fields.
    • The Edge Encryption proxy server can only connect to a single instance.
    • If your instance uses an Oracle database and the String field you’re marking to be encrypted is greater than 2925 characters, that field can’t be sorted even when order preserving encryption is selected.
    • If your instance uses an Oracle database, Unicode AL32UTF8 is the only supported character set.
    • Encrypted data can’t be used in reports.
    • Edge Encryption can’t be used with Data Archiving.
    • Edge Encryption proxies cannot encrypt requests that use the batch REST request API. If you are using Edge Encryption proxies, disable REST batching by setting the glide.uxf.disable_rest_batching system property to true.