Encrypting Journal Fields

nicholasmayo · ‎05-03-2017

Hey folks,

I was wondering if it's possible at all to encrypt Journal fields. Documentation said it isn't possible, but I was wondering if anyone came up with any solutions.

Our use case: we are onboarding HR into our instance where they can track their support cases. We will be encrypting attachments and several text fields, but they may have discussions via comments about sensitive information (PHI, PII, etc). We need to be able to encrypt this data. Any ideas?

Thanks.

harichetlur · ‎05-16-2017

At the moment, Edge Encryption does not support encrypting Journal fields. It is on our roadmap for the Kingston release.

mikeadler · ‎05-24-2017

Hey Nick,

Great question and I'm glad you are discussing this subject here. You are correct in that journal field type is not currently supported. However, ServiceNow Edge Encryption, does have this feature on its roadmap. I'm keen to have it available in the near future as indicated in the previous reply. Please kindly feel free to have your ServiceNow account rep reach out to me to discuss further in this respect to this add-on product as part of a solution you would like to investigate.

In my opinion, there may be an incremental path forward to start addressing your use case with the exception of encrypting journal field types ( for example: Additional Comments and Work Notes). Edge Encryption will allow you to automatically encrypt sensitive information that may be stored in record attachments as well as both standard out-of-the-box and user-defined string fields. With Edge Encryption your encryption keys are owned and controlled by you inside your network where the encryption processing also happens. With respect to storing discussions in a string type field (not journal type field), you would need to continue to update the same string field that you configured for encrypting. While this approach does not emulate how a journal field works, it might suffice.

Either way, I hope this reply helps in making a more informed decision in protecting and managing sensitive information.

I'm happy to discuss further as well.

Kind regards,

Mike

Mike McCall · ‎06-15-2017

[Full disclosure: I'm on Nick's team, so I have literally the "same question."]

Assuming that we must use journal fields to capture data but can't wait for Edge Encryption, are there any ideas out there?

By the way, I saw a similar post from 2013, and it looks like there were no good answers then, hah: How to encrypt Journal Entries?

Jeff Boltz1 · ‎08-22-2018

I tried a business rule (when=before, insert, update) on the incident table but it captures the cipher text and the clear text:

(function executeRule(current, previous /*null when async*/) {
	
	// Add your code here
	var encr = new GlideEncrypter();
	current.work_notes = encr.encrypt(current.work_notes);
		
})(current, previous);

The result is there is a data entry for the cipher text, in addition to the clear text:

Not sure how to short circuit the clear text from saving to the Journal Entries table.

Any thoughts? Should I just put a BR on the Journal Entry [sys_journal_field] table, and then call decrypt when it is loaded?

Thanks,
Jeff