Exploring Column Level Encryption

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Column Level Encryption

    Column Level Encryption is a built-in feature that allows the encryption of specific database fields and stored files using AES128 or AES256 algorithms. Users can define what data to encrypt, choose the encryption algorithm, and store the encryption key within the instance. Access to encrypted data is controlled through user roles, emphasizing the importance of role administration.

    Show full answer Show less

    Key Features

    • Role-based Access: Configure access to encrypted data based on user roles. Required role: security admin.
    • AES Encryption: Protect data with either AES-128 or AES-256 encryption. Required role: security admin.
    • Module Access Policies (MAPs): Create up to 5 MAPs to manage access, with enterprise version supporting more. Required role: security admin.
    • Field Types: Encrypt common field types such as strings, dates, and attachments, with enterprise supporting additional types. Required role: security admin.
    • Equality Preserving Encryption: Enables equality comparisons while maintaining encrypted values for the same field. Required role: security admin.
    • APIs: Use getDisplayValue() and setDisplayValue() APIs for handling encrypted data. Required roles: security admin, developer.

    Key Outcomes

    • Enhanced Security: Column Level Encryption Enterprise offers additional features like support for more field types and modules, automatic key rotation, and secure key management.
    • Improved Flexibility: Manage encryption keys lifecycle and utilize ephemeral keys for added security. Required role: security admin.
    • Guided Tour: A tour for setup and configuration of Column Level Encryption, including links to detailed documentation and training courses.

    Learn more about Column Level Encryption.

    Column Level Encryption overview

    Column Level Encryption is a base system feature that permits encryption of data stored within an instance using AES128, or AES256.

    Column Level Encryption enables you to encrypt selected database fields and stored files through the use of encryption contexts. In these contexts you define what is encrypted, choose which algorithm to use, and supply the encryption key, which is stored within your instance.

    After the context is created, you can associate it to a user role. Users assigned to this role, either directly of through a group, are able to access the encrypted data.

    Because Column Level Encryption bases access to data on role assignment, it’s important to be familiar with administering roles on your instance. For more information, see Managing roles.

    Column Level Encryption benefits

    Benefit Feature Required Roles
    Configure access to your encrypted data based on assigned user roles. Role-based access to encrypted data security admin
    Protect your data using the Advanced Encryption Standard (AES). You can choose to use either the AES-128 or AES-256 encryption algorithms. AES Encryption security admin
    Create up to 5 modules and module access policies (MAP)s using the standard version of Column Level Encryption. MAPs expand on role-based access to allow considerations for:
    • System users
    • Scripts
    • KMF Resource Exchange
    Column Level Encryption Enterprise supports additional MAPs.    		 Support for up to 5 modules and module access policies (MAP)s security admin
    Encrypt common field types using the standard version of Column Level Encryption. Column Level Encryption Enterprise supports additional field types. Encryption for String text, Date and Date/Time fields, attachments, and URLs security admin
    Choose between standard and equality preserving encryption. When enabled, equality preserving encryption ensures that the encrypted value of a field is the same when the field value remains the same. This type of encryption enables equality comparisons and group by operations on a field.
    Note:
    Non-deterministic encryption isn’t supported.
    		 Equality preserving encryption support security admin
    Use getDisplayValue() and setDisplayValue() APIs to return cleartext values and insert encrypted data for encrypted fields. getDisplayValue() and setDisplayValue() APIs security admin, developer

    Column Level Encryption Enterprise benefits

    Column Level Encryption Enterprise builds on the existing Column Level Encryption framework and provides these additional features after you purchase a subscription.

    Benefit Feature Required Roles
    Encrypt additional field types. Support for additional field types:
    • HTML
    • Journal
    • Translated
    		 security admin
    Column Level Encryption Enterprise supports more than 5 modules and module access policies to provide more options for access to secured data. Support for additional modules and MAPs security admin
    Keys from a key vault can be rotated on an automated schedule you configure. Using automatic key rotation can improve security while reducing administrative overhead. Configurable automatic key rotation security admin
    Manage the full life cycle of your data encryption keys. Optionally, you can securely exchange data encryption keys generated within your environment. Customer supplied keys security admin
    Ephemeral keys are cryptographic keys that are generated for each execution of a cryptographic process. These keys more secure because they’re generated for use in a single session. Ephemeral cryptographic keys security admin
    Updated setDisplayValue() and setDisplayValue() APIs can insert encrypted data for encrypted fields. Updated getDisplayValue() and setDisplayValue() APIs security admin, developer