Configuring Field-Level Encryption
Complete the following procedures to configure Field-Level Encryption. Configuration procedures are completed in the Server Manager and in CSM Administrator.
Important: To work with encryption keys, you must be an
administrator with access to the Cherwell
Server
Manager. If you have a hosted environment, please contact
Cherwell Support for assistance with encryption keys. SaaS Customers
must review and sign a Field-Level Encryption addendum before working with
Support to create encryption keys.
Good to know:
- Creating encryption keys does not create a backup. You must still export the key files (.ckf) and store them in a secure location.
- Encryption can only be enabled on Fields where the Business Object's history properties and the Field's General Properties are set to track Field changes.
- View-level auditing is enforced, and all attempts to decrypt an encrypted Field are recorded in Journal-History records. Business Objects containing encrypted Fields must have a history Relationship to Journals, which can be displayed in the Form Arrangement.
- Compliance logging can optionally be enabled to track decryption attempts in Splunk server logs. The Splunk Integration is included in hosted environments by default.
- CSM does not currently support encryption of Attachments.
- The Web API does not have access to view any encrypted fields. Encryptions are not available in the Public API.
- Field-Level Encryption is supported in multi-lingual environments (all localized versions of CSM).
- Before encrypting Fields, review the best practices.
To configure Field-Level Encryption:
- Configure encryption keys: In the Server Manager, create encryption keys. We recommend creating a separate key for each Major Business Object in which you plan to use Field-Level Encryption.
- Enable Field-Level Encryption: In a Blueprint in CSM Administrator, enable encryption for Business Object Fields using encryption keys.
- Add encrypted Fields to the appropriate
Forms: Open a Form in the Form Editor, and add the encrypted Field in
the desired location. A Button Control with the Decrypt Field command
is also automatically added for your convenience. The button is not tied to the Field Control, and should be treated as a separate control.
- Publish the Blueprint.
- Define security rights for encrypted Fields: Use the Business Objects tab in the Security Group Manager to define who has access to view and/or edit encrypted Fields on Forms. Encrypted Fields do not have any rights selected by default.
- Add a Journal tab: Add Journals to the Form Arrangements of the appropriate Business Objects so that Users can view the history records for all encryption/decryption attempts on encrypted Fields.
See the Enabling Field-Level Encryption free Video Learning Library course.