Encrypted Field configuration

Mayur Patil2 · ‎10-04-2024

Hello Developers,

I am trying Column Level Encryption module. I have followed below steps to configure the CLE in my PDI.

Step 1: Set Up the Encryption Module

Navigate to System Security > Field Encryption Modules in the Application Navigator.
Click New to create a new encryption module. Configure the following fields:

Module Name: incident_description
Crypto spec Template: Default template
Crypto module lifecycle state: Published
Parent crypto module: Pre-populated as column_level_encryption (read-only)

Save the configuration by right-clicking on the form header and selecting Save.

Step 2: Configure the Crypto Specification

On the Cryptographic Module form, click the global.incident_description record under the Crypto Specifications related list.
In the Algorithm Definition form, confirm the pre-populated fields and click Next.
Open the auto-generated Key Lifecycle record and update the following fields on the Field Lifecycle Template form:

Expiration date [expiration_date]: Set to expire 1 year after activation.
Relative duration: 1 year, relative to the Activation date.

Click Update, and then Next.

Step 3: Generate the Encryption Key

On the Key Origin form, set the Key alias to incidentkey (overwrite the existing value).
Click Next, and on the Key Creation form, click Generate Key.
You’ll return to the Cryptographic Module form, where a new record with the encryption key will appear under the Module Keys related list. The key will have an expiration date of 1 year after activation.

Step 4: Create a Module Lifecycle Policy

Module Lifecycle Policies track and limit the validity of a specific encryption module. Follow these steps:

From the Module Policy Exceptions related list of the incident_description Encryption Module, click New.
Configure the policy:

Key type: Symmetric Data Encryption Key
Policy condition: Expiration date is more than 2 years after activation.
Result: Track

Click Submit to save the policy.

Step 5: Define a Module Access Policy

A Module Access Policy determines which roles can access the encrypted data. For this example, we'll create a policy for the itil_admin role:

Navigate to Key Management > Module Access Policies > All.
Click New and configure the following fields:

Policy name: Incident Policy
Crypto module: incident_description AES-256
Type: Role-based
Target role: itil_admin
Result: Track

Click Submit to finalize the access policy.

Step 6: Configure Encrypted Field Configuration

An Encrypted Field Configuration specifies which fields on a table should be encrypted with a certain module:

Navigate to System Security > Field Encryption > Encrypted Field Configurations.
Click New and fill in the following details:

Type: Column
Table: Incident [incident]
Column: Description [description]
Crypto module: incident_description AES-256
Method: Single Module

Click Submit to save the configuration

But while performing "Step No.6 : Configure Encrypted Field Configuration" I am not able to select Crypto Module for me it is showing empty. Below screenshot for reference.

But While following "Step 1 : Set Up the Encryption Module" I have created the module and it is save in the same table. Below screenshot for reference.

Help me to figure out why It is not sowing where table is same for Cryptographic module(sys_kmf_crypto_module).

Thank you

Mayur Patil

Astha5 · ‎11-04-2024

Hi,

I am facing same issue, did you get a resolution?

Thank you,

Astha

JC Moller · ‎03-17-2025

Did you manage to resolve this? Had my self some issues with data do being visible where it should. Changed application scope to the table's scope and managed to get the full list of fields in the last phase. So my thinking is that if you are in the wrong application scope you are missing visibility to some data. And you need to add KMD admin role for your id and also have security admin elevated to you while you work on encryption related data.

- Jan