Encryption on a Field Removers Query Operators

jjones
Tera Contributor

Does anyone know how to fix the issue where enabling Column Level Encryption on a field removes the default query operators in the condition builder?

For example before adding a Encrypted Field Configuration

jjones_0-1737140320891.png

 After Adding Encrypted Field Configuration

jjones_1-1737140408266.png


Is there a way to configure this to where the preexisting query options are available?
Adding the encrypted field configuration ends up preventing autocomplete to be able to work, which affects Service Catalog dropdowns and Native UI dropdowns from loading.

Replication Steps:

  1. PDI Instance: Xanadu Patch 4.
  2. Required Modules: Ensure the CLEE Enterprise module is installed and active.
  3. Create a ServiceNow Generated Key:
    1. https://www.servicenow.com/docs/bundle/xanadu-platform-security/page/administer/now-platform-encrypt...
  4. Add Encrypted Field Configuration (Note: requires security_admin elevation)
    1. jjones_2-1737140778916.png
  5. Schedule Mass Encryption job.
  6. Query Operators will no longer be present.

I hope this is the right forum; this is my first post. Thank you!


 


1 ACCEPTED SOLUTION

Jarod Mundt
ServiceNow Employee
ServiceNow Employee

This is by design. The ciphertext (encrypted data stored in the database) shouldn't give any hints about what it contains, and therefore "starts with" and "contains" (and similar) won't work.

 

When setting up the encryption key (cryptographic module) in the instance, there is an option to use "equality preserving" (ie. no "salt" or crypto initialization vector), which will allow you to enable the "is same" and "is different" operators.  

View solution in original post

3 REPLIES 3

Jarod Mundt
ServiceNow Employee
ServiceNow Employee

This is by design. The ciphertext (encrypted data stored in the database) shouldn't give any hints about what it contains, and therefore "starts with" and "contains" (and similar) won't work.

 

When setting up the encryption key (cryptographic module) in the instance, there is an option to use "equality preserving" (ie. no "salt" or crypto initialization vector), which will allow you to enable the "is same" and "is different" operators.  

Hello Jarod,

Thank you for the information! I was able to find the equality preserving field you described. When configuring the Crypto Specification, the choice of algorithm directly affects whether equality-preserving encryption is supported.

jjones_0-1737377453557.png

 

I am surprised it is configured this way. I thought it was something the module access policy would determine. Pairing this with some solid ACL would probably work wonders. I'll try to find an alternative.

Thanks for your help!