Attachment encryption
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-08-2017 02:41 PM
Humm, I have setup encryption for the admin role impersonated a user without admin role and was still able to view the attachment… Istanbul version I followed the guidelines of this link to setup my encryption context...,
http://wiki.servicenow.com/index.php?title=Encryption_Support#gsc.tab=0
- Labels:
-
Team Development
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-08-2017 02:51 PM
Hi Kevin,
Just a few of questions for you:
1. Did you associate the Encryption context to the admin role?
2. Did you log out and log back in?
3. Are you following the attachment encryption documentation? (This is different from the URL you provided)
According to the product documentation, you must follow these steps to set up an encrypted field/encryption context-
Set up encryption contexts
Procedure
1. Navigate to System Security > Encryption Contexts.
2. Click New.
3. Enter the following:
Name: enter the text users see when selecting an encryption context.
Encryption key: do not change this field if you want the instance to randomly generate a key. Otherwise, enter the desired key (exactly 24-characters for Triple DES, or exactly 16-characters for AES 128-bit, or 32-characters for AES 256-bit).
Warning: You cannot retrieve this key from the instance, so save it elsewhere before clicking Submit if you need it.
Type: select AES 128-bit for Advanced Encryption Standard, Triple DES for Triple Data Encryption Standard, or AES 256-bit if your system is configured for it.
4. Click Submit.
The encryption key itself is encrypted with a key that is stored in the program, not in the database. This prevents other users from copying the key and using it to decrypt data.
5. Navigate to System Security > Roles and open the role to associate with the encryption context.
6. Configure the Roles form to add the Encryption context field.
7. Select the encryption context to associate with the role (there can be only one encryption context per role).
8. Click Update.
NOTE- Users must log out of the instance and log in again to use the encryption context.
To encrypt attachments you will need to follow the directions in this doc-
You can encrypt attachments that are already attached to records.
- Log in as a user with at least one encryption context.
- If more than one encryption context is available, select the encryption context for this session from the selector.
- Navigate to a form which needs an attachment added, such as the Incident or Problem form, and click the attachment icon to open the Attachments dialog box.
- Select the file to be attached.Only users with one or more encryption contexts see the Encrypt file check box below the file name.
- Select the Encrypt file check box.Users with more than one encryption context are asked to confirm the encryption context. If you select a different encryption context, the encryption context selector updates to reflect the change.
- Click Attach to upload the file attachment.The file appears in the Current file attachments section of the form with a special icon indicating that it is encrypted. Pointing to the icon shows the name of the encryption context.
- Click Done.Attached files are listed across the top of the form. A special icon identifies encrypted files. Note that you can only see the encrypted files for which you have the encryption context.
Please mark this answer as Correct/Helpful as appropriate.
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-08-2017 03:13 PM
Yes I did all that then deleted it and did it over again to make sure I did not miss any steps I do get the encryption ICON, but can still view the attachment even when I impersonate a user who is not in the encrypted role...

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-08-2017 03:34 PM
Be sure to log out and then log back in as that user directly instead of impersonating the user. Impersonation does not change the encryption contexts available to the logged in session.