Configuring Field-Level Encryption
Complete the following procedures in the Cherwell Server Manager and in CSM Administrator to configure field-level encryption.
To work with encryption keys, you must be an administrator with access to the Cherwell Server Manager. If you have a hosted environment, please contact Cherwell Support for assistance with encryption keys. SaaS customers must review and sign a field-level encryption addendum before working with Support to create encryption keys.
Good to Know:
- Creating encryption keys does not create a backup. You must still export the key files (.ckf) and store them in a secure location.
- You can only enable encryption on fields where the Business Object's history properties and the field's general properties are set to track field changes.
- View-level auditing is enforced, and CSM records all attempts to decrypt encrypted fields in Journal-History records. Business Objects that contain encrypted fields must have a history relationship to Journals, which can be displayed in the form arrangement.
- Optionally, you can enable compliance logging to track decryption attempts in Splunk server logs. The Splunk Integration is included in hosted environments by default.
- CSM does not currently support encryption of Attachments.
- The Web API does not have access to view any encrypted fields. Encryptions are not available in the Public API.
- Field-Level Encryption is supported in multi-lingual environments (all localized versions of CSM).
- Before encrypting fields, review the best practices.
To configure field-level encryption:
- Configure encryption keys: In the Server Manager, create encryption keys. We recommend creating a separate key for each Major Business Object in which you plan to use field-level encryption.
- Enable field-level encryption: In a Blueprint in CSM Administrator, enable encryption for Business Object fields using encryption keys.
- Add encrypted fields to the appropriate forms: Open a form in the Form Editor, and add the encrypted field in the desired location. CSM automatically adds a button control with the Decrypt Field command . The button is not tied to the field control, and should be treated as a separate control.
- Publish the Blueprint.
- Define security rights for encrypted fields: Use the Business Objects tab in the Security Group Manager to define who has access to view and/or edit encrypted fields on forms. Encrypted fields do not have any rights selected by default.
- Add a Journal tab: Add Journals to the form arrangements of the appropriate Business Objects so that users can view the history records for all encryption/decryption attempts on encrypted fields.