Hello, I have a possible solution to your issue. Disclaimer, I find this to be a bit 'hacky', but I was unable to find any other solution to this matter online. In order for this to work, you will need the Encryption Support plugin. I will also note that this is for encrypting attachments in Service Portal. From my experience so far, Service Portal handles attachments a bit differently (code-wise) from all the other ServiceNow modules.

Difficulty: Intermediate

Step 1: Locate the 'nowAttachmentHandler.js' file, and create a copy of the file.
- This is the file that includes the code to process the upload of attachments in Service Portal. You can access the file by navigating to https://[your-instance-name].service-now.com/scripts/angularjs-1.4/sn/common/attachments/factory.nowAttachmentHandler.js After locating the file, copy the code and paste into a notepad file for later use.

Step 2: Create an Encryption Context
-This is part of the Encryption Support plugin. To create an encryption context, enter 'encryption context' into the filter navigator within ServiceNow and press enter. From here, click 'New' to create a new encryption context. Enter a meaningful name and click 'Save'. Copy the sys_id of the record, and paste it into a notepad for later use. (See Setup encryption contexts for more info)

Step 3: Create a role with the encryption context
-Any user who you wish to upload encrypted attachments must have a role that is associated with the encryption context you created. Creating new roles are located under 'System Security > Users and Groups > Roles'. Once you have accessed the role list, click 'New' to create a new record. You will notice on the form, a field called 'Encryption context' (if it is not there use the 'Form Designer' to add the field to the form). This is simply a reference to that table. Search for the encryption context you created and add it to the field. Give a name to the role and save the record. *Make sure to give this role to a user you are testing with.

Step 4: Create a new UI script with the code from step 1
-Navigate to the UI Scripts list by entering 'ui script' in the filter navigator and pressing enter. Create a new UI Script. In the code section, paste all the code you copied from step 1. Give your UI script a meaningful name (I just used 'spAttachmentEncrypt'). This next part is important. Assuming you kept the first line comment from the copied code, go to the second line and replace 'nowAttachmentHandler' with a meaningful name (e.g. spAttachmentEncrypt). Next, navigate to line 64. You should see something called 'sysparm_encryption_context'. The value associated with it will be empty ''. Replace this with the sys_id of the encryption context you copied in step 2. Save the UI Script.

Step 5: Customizing the widget
-Locate the Service Portal widget you wish to encrypt attachments with. NOTE: you may need to clone/customize the widget if you are using it Out of the Box. For this example I will use the OotB 'Form' widget (ID: widget-form). Navigate to the record of the widget within ServiceNow. Find the 'Client Controller'/'Client Script' section. Press the magnifying glass icon located above the code section to activate the 'find' feature. Type in 'nowAttachmentHandler' and press enter. Replace all highlighted occurrences with the same name you renamed in step 4. Save if you wish to, in the next step we will create the dependency for this code to reference.

Step 6: Create the widget dependency
-Within the widget record you were modifying in step 5, scroll down to the bottom of the page and click on the tab called 'Dependencies' and click 'New'. Give it a name and click 'Save'. You should now see a section called 'JS Includes'. Click 'New' to create a new JS include. From here change the 'Source' field to UI Script. In the 'UI Script' field add a reference to the UI Script you created in step 4. Give a meaningful name to the JS include and save the record.

Step 7: Cleanup/Testing
-Make sure everything is saved. Logout and log back in (trust me, you need to do this for some reason). For testing, I used Incidents, but I suppose any table that uses attachments will work. For your test user make sure they have proper roles to create records on the table you wish to test with, as well as the role you created in step 3. Navigate to the a page on your portal that has the widget you modified in step 5. Go through the process of attaching a document. As the user who uploaded the attachment, you will have access to view it. Login as a different user* without the encryption role and access the same record. If it works, they should not be able to view the attachment. *Impersonating a user will not work, you need to login with a new session.

Again, this is by no means a perfect solution, but it should work. If anyone would like to try improving it or finding ways to break it, that would be very much appreciated 🙂

[EDIT: Formatting]

Very impressed.  Your documentation was clear and well written.   I just tried your solution but it didn't work.   I've got a Madrid PI setup with multiple encryption contexts.  The test user has only one encryption context and can sucessfully encrypt an attachment via the Native UI.   I test using a new browser session and don't use impersonation.   

Your instructions had the sys_ID of the encryption context pasted into the UI Script.   Could it be that your solution is not intended for multiple encryption context situations?   Portal widgets is new to me so it could be my lack of knowledge in that area too.   Any suggestions?