Overview
Column Level Encryption (also known as CLE) is a free plugin that has been out there for many years, although it has transitioned from a simple plugin that allowed to link contexts to roles to a much more mature plugin that even allows to control the full lifecycle of keys and control the way in which the encryption works. Nowadays it may be through roles as before but also via other options such as scripts. However, some of the features are not available in the free version as there is another plugin called Column Level Encryption Enterprise (also known as CLEE) that contains the extra features for a fee.
In this article we will talk about how to encrypt attachments using the free version, although in the CLEE it can be configured the same way but it would allow to perform more actions.
If you want to know how to encrypt columns (fields), please go to this other article I have just written.
Configuring the basics
In order to be able to work with CLE the first thing that needs to happen is that as an admin, we need to elevate our privileges to get "security_admin".
Then we need to go to "System Security > Key Management Administration":
And assign to someone the sn_kmf_admin. In the example below I am using the "System Administrator" and I am assigning such role to the same account:
These admins can grant other user roles related to Encryption and configure the settings, modules and fields as required. More information can be found here.
Creating a Cryptographic module
Now that we have that role, we have to log out and log in to make the changes effective (as always). Then we need to configure a "Cryptographic Module" by going to "System Security > Field Encryption >Field Encryption Modules":
Configuring the Crypto Specifications
Under "Crypto Specifications" we will see a new row created, where we can configure the type of encryption used and the lifecycle of the keys. If we click on the record, the first step will allow us to select the algorithm. "AES 256 CBC" is selected by default:
After clicking on "Next" we can define if the key expires and if so, after how much time. In the example below I set it to expire after 1 year from the creation date. Some fields are not editable from the list, but accessing the row record will allow you to change the details.
The next step is "Key Origin". For CLE the only available option is "Servicenow", but for CLEE keys can be stored externally:
The final step will show us a summary of what we have configured, and it will auto generate a key (as long as "Auto generate key" is checked) and link it to the module:
Going back to the "Cryptographic module" we can have a look at the key that was generated:
From here we could renew the key, revoke it, rotate it or suspend it.
Creating the Encrypted Field Configuration record
Let's configure now when this module and key will be used. To do so, we need to go to "System Security > Field Encryption > Encrypted Field Configurations" and create a new record. In this example I have configured it setting the Type to "Attachment" and the Method to "Multiple Modules". The reason is that if we select "Single Module" and selected our module created above, all attachments would be encrypted with such module, but we couldn't allow users to avoid encrypting files.
This is important, because encrypted fields or attachments cannot be seen by users without the right access (we will see later how to configure this). For instance, if we configured the encryption to require "itil" to read encrypted attachments, end users couldn't see them. In such case, if an agent uploaded an attachment to answer an end user, the end user wouldn't see the attachment as they don't have itil.
Selecting "Multiple Modules" allows the agents to decide the module they want to use, but also to select "none", allowing the attachment to be seen by end users.
Module Access Policies
Finally, we need to define who will have access to encrypt and decrypt attachments. Let's go to "Key Management > Module Access Policies > All" and create a new Module Access Policy as the one below:
In this example, I am selecting the Type "Role" and selecting the "itil" role meaning users with this role will be able to encrypt and decrypt attachments using the Crypto Module selected above. It is important to highlight that "Result" must be set as "Track" to allow this operation. I am flagging the "Impersonation" checkbox so that admins could impersonate "itil" users and see attachments, but if you want to avoid this, uncheck the "Impersonation" flag.
Showing the results
All we have to do now is going to an incident and clicking on the attachment icon to attach a new file:
A dropdown will be shown called "Encrypt with Module" due to the "Multiple modules" option we selected. We could click on it and select "none" in case this file needs to be visible by the end user. Bear in mind if "Single module" was selected the dropdown would not appear.
Attachments will show a little lock in case they are encrypted, and will not show it otherwise.
It is important to highlight that if an attachment is encrypted in an incident it will not be shared to end-users via email as the conditions cannot be checked outside ServiceNow. Unencrypted files will still be shared with them though.
Note: Until the "Washington" release, only the classic view allows to select modules, including "None". In the "Washington" release ServiceNow seems to be releasing an update to workspaces that allows to perform the same dropdown selection. This means workspaces will always encrypt files until that happens.
Please, share the post if you found it interesting and click on "Like".
11 Comments
