Configuring Field-Level Encryption

Complete the following procedures to configure Field-Level Encryption. Configuration procedures are completed in the Server Manager and in CSM Administrator.

Important: To work with encryption keys, you must be an administrator with access to the Cherwell Server Manager. If you have a hosted environment, please contact Cherwell Support for assistance with encryption keys. SaaS Customers must review and sign a Field-Level Encryption addendum before working with Support to create encryption keys.

Good to know:

  • Creating encryption keys does not create a backup. You must still export the key files (.ckf) and store them in a secure location.
  • Encryption can only be enabled on Fields where the Business Object's history properties and the Field's General Properties are set to track Field changes.
  • View-level auditing is enforced, and all attempts to decrypt an encrypted Field are recorded in Journal-History records. Business Objects containing encrypted Fields must have a history Relationship to Journals, which can be displayed in the Form Arrangement.
  • Compliance logging can optionally be enabled to track decryption attempts in Splunk server logs. The Splunk Integration is included in hosted environments by default.
  • CSM does not currently support encryption of Attachments.
  • The Web API does not have access to view any encrypted fields. Encryptions are not available in the Public API.
  • Field-Level Encryption is supported in multi-lingual environments (all localized versions of CSM).
  • Before encrypting Fields, review the best practices.

To configure Field-Level Encryption:

  1. Configure encryption keys: In the Server Manager, create encryption keys. We recommend creating a separate key for each Major Business Object in which you plan to use Field-Level Encryption.
  2. Enable Field-Level Encryption: In a Blueprint in CSM Administrator, enable encryption for Business Object Fields using encryption keys.
  3. Add encrypted Fields to the appropriate Forms: Open a Form in the Form Editor, and add the encrypted Field in the desired location. A Button Control with the Decrypt Field command Decrypt Field Button is also automatically added for your convenience. The button is not tied to the Field Control, and should be treated as a separate control.
  4. Publish the Blueprint.
  5. Define security rights for encrypted Fields: Use the Business Objects tab in the Security Group Manager to define who has access to view and/or edit encrypted Fields on Forms. Encrypted Fields do not have any rights selected by default.
  6. Add a Journal tab: Add Journals to the Form Arrangements of the appropriate Business Objects so that Users can view the history records for all encryption/decryption attempts on encrypted Fields.
© Copyright 2018 Cherwell Software, LLC. All rights reserved.