Attachment encryption walkthrough

  • Versão de lançamento: Australia
  • Atualizado 12 de mar. de 2026
  • 4 min. de leitura

    • This walkthrough shows you how to encrypt an attachment in your instance using Field Encryption Enterprise with the Key Management Framework (KMF). It also shows you how to use your own key.

    Antes de Iniciar

    Nota:
    This procedure only applies to Field Encryption Enterprise functionality. See Activate Field Encryption for more information on obtaining Field Encryption Enterprise.

    Role required: sn_kmf.cryptographic_manager

    Por Que e Quando Desempenhar Esta Tarefa

    This walkthrough starts with an instance where you have already created and uploaded your customer-supplied cryptographic key. You could use the key, but this example uses a customer-supplied key.

    Upload confidential attachments in your instance and limit access from certain users. Use Encrypted Field Configuration to specify which authorized personnel can access sensitive data.

    We show you how to encrypt attachments to only be visible to users who are granted access, or be visible to all users that are not restricted from viewing the data. In this example, we restrict a certain role from being able to access an attachment in the Incidents module.

    Nota:
    Although you can use multiple modules with Field Encryption Enterprise, attachment encryption must use single modules.

    Procedimento

    1. Make sure that Field Encryption Enterprise is enabled.
    2. Create a cryptographic module.
      See Create cryptographic module for Field Encryption for more information.
    3. Navigate to All > System Security > Field Encryption > Field Encryption Experience.
    4. Select View module details from the Field Encryption overview to open the module record you want to configure.
    5. Select Encrypted Fields and Configure.
    6. Complete the form:
      Tabela 1. Encrypted field configuration fields
      Field Description
      Table Select the table to access the sensitive information. For this example, select Incident [incident].
      Type Select Attachment to use your personal key for encrypting an attachment from the selected Table For this example, select Incident.
      Active Mark Active to be able to use the field configuration.
      Importante:
      When active, your instance is actively encrypting new data in the selected fields or attachments. Users won’t have access to this data unless they have permission via an associated Module Access Policy. Don’t select if the field isn’t ready to begin encrypting and enforcing Module Access Policies.

      To verify historical data is encrypted after an Encrypted Field Configuration is active, you’ll need to run a Mass Encryption Job on the column. For details, see “Schedule Mass Encryption, Decryption, or Rekeying”.
      Encrypt by default

      When selected, records that don’t match row conditions will be encrypted using the Field Encryption module selected in the field below.

      When not selected, these records will not be encrypted.
      Field Encryption module The field encryption module used by this encrypted field configuration.
      Column If you have chosen Column in the Type field, select the fields to be encrypted.
      Nota:
      If the field you want to encrypt is not available, it isn’t a supported type. The supported field types are:
      • Date
      • Date/Time
      • URL
      • HTML
      • Journal
      • Translated
      • Email
      • Phone
      Algorithm Equality Preserving When selecting Field Encryption Enterprise, this field is visible based on the table selected. Displays whether Equality Preserving is enabled in the field encryption module selected in the Crypto Module field.
      Method The Single Module option is used to apply the policies for one module. Multiple Modules is used to apply the policies across multiple modules.
      Figura 1. Encrypted Field Configuration table
      Encrypted Field Configuration table
    7. Select Save.

      Establish a Module Access Policy (MAP) to assign access to the cryptographic module. Refer to Create a module access policy for additional information.

    8. Navigate to All > System Security > Field Encryption > Field Encryption Experience > Configurations > Access Policies.
    9. Click Create new.
    10. Select the Field Encryption (FE) module.
    11. Complete the form:
      Tabela 2. Module access policy fields
      Field Description
      Policy name Enter a name for the policy, such, as "Attachment policy."
      Type Select Role to restrict access to the encrypted field from users with the assigned role.
      Result Select Strict Reject to control the access to the attachment from the selected role. (To grant access for the selected role, select Track.)
      Crypto module Select the crypto module that you created to encrypt your key.
      Active Select this check box to be able to use the Module Access Policy.
      Target Role Select the role that will not have access to the encrypted field. For this example, select itil.
      Specify purpose Optional. Enable to display the Crypto Spec field on the form. Enable this option to configure granular operations, such as some users being able to encrypt, but not decrypt.
      Application The Application scope is auto-populated by your current scope.
      Figura 2. Module Access Policy form
      Module Access Policy form
    12. Click Submit.
    13. As user with access to the encryption module, navigate to Incidents and add an attachment to the form.

      Once the attachment is uploaded, it will be available from the Activities screen.

      Figura 3. Attachment available per role
      Attachment available per role
    14. Log in as a user that doesn't have access to the module.
    15. Open the incident and scroll to the Activities: section.
      The link to open the attachment isn't visible for users that don't have access to the module.

    Resultado

    You have successfully used your customer-supplied key to control access to a specific attachment using Field Encryption Enterprise.