Encryption on a Field Removers Query Operators

Go to solution
jjones
Tera Contributor

‎01-17-2025 11:12 AM

Does anyone know how to fix the issue where enabling Column Level Encryption on a field removes the default query operators in the condition builder?

For example before adding a Encrypted Field Configuration

jjones_0-1737140320891.png

 After Adding Encrypted Field Configuration

jjones_1-1737140408266.png


Is there a way to configure this to where the preexisting query options are available?
Adding the encrypted field configuration ends up preventing autocomplete to be able to work, which affects Service Catalog dropdowns and Native UI dropdowns from loading.

Replication Steps:

  1. PDI Instance: Xanadu Patch 4.
  2. Required Modules: Ensure the CLEE Enterprise module is installed and active.
  3. Create a ServiceNow Generated Key:
    1. https://www.servicenow.com/docs/bundle/xanadu-platform-security/page/administer/now-platform-encrypt...
  4. Add Encrypted Field Configuration (Note: requires security_admin elevation)
    1. jjones_2-1737140778916.png
  5. Schedule Mass Encryption job.
  6. Query Operators will no longer be present.

I hope this is the right forum; this is my first post. Thank you!


 


0 Helpfuls
  • 740 Views
1 ACCEPTED SOLUTION

Go to solution
Jarod Mundt
ServiceNow Employee
ServiceNow Employee

‎01-17-2025 12:23 PM

This is by design. The ciphertext (encrypted data stored in the database) shouldn't give any hints about what it contains, and therefore "starts with" and "contains" (and similar) won't work.

 

When setting up the encryption key (cryptographic module) in the instance, there is an option to use "equality preserving" (ie. no "salt" or crypto initialization vector), which will allow you to enable the "is same" and "is different" operators.  

View solution in original post

3 REPLIES 3

Go to solution
Jarod Mundt
ServiceNow Employee
ServiceNow Employee

‎01-17-2025 12:23 PM

This is by design. The ciphertext (encrypted data stored in the database) shouldn't give any hints about what it contains, and therefore "starts with" and "contains" (and similar) won't work.

 

When setting up the encryption key (cryptographic module) in the instance, there is an option to use "equality preserving" (ie. no "salt" or crypto initialization vector), which will allow you to enable the "is same" and "is different" operators.  

Go to solution
jjones
Tera Contributor
In response to Jarod Mundt

‎01-20-2025 05:11 AM

Hello Jarod,

Thank you for the information! I was able to find the equality preserving field you described. When configuring the Crypto Specification, the choice of algorithm directly affects whether equality-preserving encryption is supported.

jjones_0-1737377453557.png

 

0 Helpfuls

Go to solution
jjones
Tera Contributor
In response to Jarod Mundt

‎01-20-2025 05:15 AM

I am surprised it is configured this way. I thought it was something the module access policy would determine. Pairing this with some solid ACL would probably work wonders. I'll try to find an alternative.

Thanks for your help!

0 Helpfuls