Set encrypted field configurations

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read

    • Configure which table columns or attachments that the system encrypts using a preconfigured cryptographic module.

    Before you begin

    Role required: sn_kmf.cryptographic_manager and security_admin or elevate role to security admin.

    About this task

    Make sure you are in the correct application scope so you can see the tables in that scope.

    Only users with access to the cryptographic module used in this configuration can read the data in the encrypted table column or access the attachment.

    • If a user has write access but not read access, the field displays in edit mode and the data entered displays as asterisks.
    • If a user has read access but not write access, the field displays the decrypted data in read-only mode.
    • If a user has all access, both read/write functionality is available on the encrypted field.

    See Create a cryptographic module or Create cryptographic module for Field Encryption to begin.

    Important:

    After encrypting a column, any new data inserted into the column is encrypted automatically. However, data that existed in the column before the encryption was active is not automatically encrypted.

    In order to encrypt data that existed before the column was encrypted, you must run a separate mass encryption job. Learn more about mass encryption in Run mass encryption or decryption.

    Procedure

    1. Navigate to All > System Security > Field Encryption > Encrypted Field Configurations > New.
    2. Select New.
    3. Complete the form.
      Field Description
      Type

      Select Column to encrypt a table column or Attachment to encrypt all of a table's attachments.

      Note:
      Attachment encryption is only available with Field Encryption Enterprise.
      Table Table whose fields or attachments are to be encrypted.
      Column

      If you have chosen Column in the Type field, select the fields to be encrypted.

      Note:
      If the field you want to encrypt is not available, it is not a supported type. The supported field types are:
      • String (including Full UTF-8)
      • Date, Date/Time
        Note:
        You can create encrypted field configurations to encrypt existing Date and Date/Time fields. You can add a new encryption configuration to a parent table only. You can’t add a new encryption configuration to a child table.
      • URL
      • HTML
      • Journal
      • Translated
      • Email
      • Phone
      Active Select to mark the configuration active. Deselect if the configuration isn’t yet in use.
      Crypto module The cryptographic module that the encrypted field configuration applies to.
      Method Select Single Module to set the field configuration across one module. Select Multiple Modules for role-based access that spans across more than one cryptographic module.
      Single Module
      Use this option to encrypt all attachments using a single module. Your users need access to this module, otherwise they aren't able to upload attachments.
      Multiple Modules
      Use this option to allow users to choose a module when uploading attachments. Users with access to at least one module can select a module to use for encryption. Users with no module access can upload unencrypted attachments.
      Algorithm Encrypted Preserving

      [read-only]

      		 Indicates if the crypto module that you selected is already configured to support non-deterministic encryption. This means that if the same data is encrypted more than once, the encryption is different each time.
    4. Select Submit.