Configuring Field-Level Encryption

Complete the following procedures in the Cherwell Server Manager and in CSM Administrator to configure field-level encryption.

To work with encryption keys, you must be an administrator with access to the Cherwell Server Manager. If you have a hosted environment, please contact Cherwell Support for assistance with encryption keys. SaaS customers must review and sign a field-level encryption addendum before working with Support to create encryption keys.

Good to Know:

  • Creating encryption keys does not create a backup. You must still export the key files (.ckf) and store them in a secure location.
  • You can only enable encryption on fields where the Business Object's history properties and the field's general properties are set to track field changes.
  • View-level auditing is enforced, and CSM records all attempts to decrypt encrypted fields in Journal-History records. Business Objects that contain encrypted fields must have a history relationship to Journals, which can be displayed in the form arrangement.
  • Optionally, you can enable compliance logging to track decryption attempts in Splunk server logs. The Splunk Integration is included in hosted environments by default.
  • CSM does not currently support encryption of Attachments.
  • The Web API does not have access to view any encrypted fields. Encryptions are not available in the Public API.
  • Field-Level Encryption is supported in multi-lingual environments (all localized versions of CSM).
  • Before encrypting fields, review the best practices.

To configure field-level encryption:

  1. Configure encryption keys: In the Server Manager, create encryption keys. We recommend creating a separate key for each Major Business Object in which you plan to use field-level encryption.
  2. Enable field-level encryption: In a Blueprint in CSM Administrator, enable encryption for Business Object fields using encryption keys.
  3. Add encrypted fields to the appropriate forms: Open a form in the Form Editor, and add the encrypted field in the desired location. CSM automatically adds a button control with the Decrypt Field command Decrypt Field Button. The button is not tied to the field control, and should be treated as a separate control.
  4. Publish the Blueprint.
  5. Define security rights for encrypted fields: Use the Business Objects tab in the Security Group Manager to define who has access to view and/or edit encrypted fields on forms. Encrypted fields do not have any rights selected by default.
  6. Add a Journal tab: Add Journals to the form arrangements of the appropriate Business Objects so that users can view the history records for all encryption/decryption attempts on encrypted fields.