Best Practices for Encrypting Fields

Encrypted fields are more restricted than regular fields and require special handling.

Encrypted fields:

  • Cannot be searched, displayed in grids, or used in many of the areas where regular fields can (examples: One-Step Actions, expressions, widgets, etc.).
  • Cannot be used in reports as parameters or results.
  • Are stored in a database table separate from Business Objects, and cannot be indexed.
  • Cannot have default or calculated values, or set values based on lifecycle state.
  • Cannot use validation or auto-population.
  • Are limited to a maximum of 255 characters.
  • Cannot be permanently decrypted or converted back to unencrypted fields.

For best results, use the following guidelines and considerations when encrypting fields:

  • Back up your CSM database prior to encrypting fields so that you can restore your system if you experience unexpected results.
  • Create multiple encryption keys, one for each Major Business Object in which you plan to use field-level encryption.
  • To avoid confusion and potential data loss, use different encryption keys for test and production environments.
  • Ensure encryption keys are backed up.
  • Do not store data (.czar files) and encryption keys in the same location.
  • For best results, create a new field and encrypt it.
  • If it is necessary to encrypt an existing field, keep the following in mind:
    • The following fields cannot be encrypted: RecID, PublicID, automatically created fields (examples: Owned By, Owned By ID, Created Culture, etc.), and state fields (example: Incident.Status).
    • Check for dependencies to understand the impact of encrypting an existing field. If the field is used in areas where encrypted fields cannot be used or displayed, encrypting it could have unfavorable consequences.
    • Encrypted fields are limited to 255 characters. If you encrypt a field that exceeds this limit, it will be truncated.
    • Only text fields can be encrypted. To encrypt a field of a different type, convert it to text, publish the Blueprint, and then encrypt the field. Ensure the converted text field is long enough to avoid truncating values.