Find your people. Pick a challenge. Ship something real. The CreatorCon Hackathon is coming to the Community Pavilion for one epic night. Every skill level, every role welcome. Join us on May 5th and learn more here.

Encrypting attachments for specific catalog items

DaisukeSuzuki
Tera Contributor

‎02-03-2026 03:39 PM

Version: Zurich
Requirement: Encrypt attachments for specific catalog items only
Question: I configured the following, but the file attached to the specific catalog items was not encrypted. Is there something wrong with the settings?
Note: Decryption settings will be configured later.

 

[Creating an Encryption Module]
All > System Security > Field Encryption > Field Encryption Modules
Purpose: Symmetric Data Encryption/Decryption
Algorithm: AES 256 CBC

 

[Creating a Module Access Policy]
All > Key Management > Module Access Policies
Granular Operation: Symmetric Encryption and Decryption
Type: System Access

 

[Creating a Business Rule]
Table: Attachment (sys_attachment)
When: after insert
Scripts:
(function executeRule(current, previous /*null when async*/) {
// Specific Catalog Item sys_id
var TARGET_CAT_ITEM_SYSID = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx';
// Field Encryption Module sys_id
var ENCRYPTION_MODULE_SYSID = 'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy';
// Parent
var parentTable = current.getValue('table_name');
var parentSysId = current.getValue('table_sys_id');
//RITM
if (parentTable !== 'sc_req_item') return;
var ritm = new GlideRecord('sc_req_item');
if (!ritm.get(parentSysId)) return;
// Specific Catalog Item Only
if (ritm.getValue('cat_item') !== TARGET_CAT_ITEM_SYSID) return;
// Encryption
var gsa = new GlideSysAttachment();
gsa.changeCryptoModule('sc_req_item', ritm.getUniqueValue(), current.getUniqueValue(), ENCRYPTION_MODULE_SYSID);
})(current, previous);

0 Helpfuls
  • 1,240 Views
2 REPLIES 2

Tanushree Maiti
Kilo Patron

‎02-07-2026 10:37 AM

Please refer this links, see if it helps you:

https://www.servicenow.com/community/developer-forum/encrypting-attachment-from-service-portal-recor....

Please mark this response as Helpful & Accept it as solution if it assisted you with your question.
Regards
Tanushree Maiti
ServiceNow Technical Architect
Linkedin:

PankajK75582456
Tera Contributor

‎02-07-2026 11:44 AM

Hi @DaisukeSuzuki ,

 

Instead of creating module access policy for the system user, create it for a particular role, script, user. The basic fundamentals of module access policy is to allow the encryption/ decryption to right audience and you are missing the right audience here.

 

If it helped you, please mark this answer correct and helpful.