Encrypt Unencrypted Attachments with Script

The following sample script encrypts unencrypted attachments, such as in the incident table.

bulkEncryption();
 
  function bulkEncryption() {
	gs.log("*********** BULK ENCRYPTION RUN BY " + gs.getUserName());
	encryptAttachments("incident", "testContext");
	gs.log("*********** BULK ENCRYPTION COMPLETED");
  }
 
  // Note that whomever runs this script must have access to use the specified encryption context or nothing will happen when 
  // "changeEncryptionContext" is called except that a warning will appear in the log: WARNING *** WARNING *** Attempt to get 
  // cipher for encryption context 'contextName' without authorization
  function encryptAttachments(table, encryptionContextName) {
	var contextGR = new GlideRecord("sys_encryption_context");
	contextGR.addQuery("name", encryptionContextName);
	contextGR.query();
	if (!contextGR.next()) {
		gs.log("*********** No such encryption context " + encryptionContextName);
		return 0;
	}
 
	var encryptionId = contextGR.getUniqueValue();
 
	gs.log("*********** BEGIN ENCRYPTING ATTACHMENTS FOR " + table + " TABLE");
	var attachmentGR = new GlideRecord("sys_attachment");
	attachmentGR.addQuery("table_name", table); // only attachments for the specified table
	attachmentGR.addNullQuery("encryption_context"); // only attachments not yet encrypted
	attachmentGR.query();
	var count = 0;
	while (attachmentGR.next()) {
		var sysAttachment = new GlideSysAttachment();
		sysAttachment.changeEncryptionContext(attachmentGR.getValue("table_name"), attachmentGR.getValue("table_sys_id"), 
			attachmentGR.sys_id, encryptionId);
		gs.log("*********** ENCRYPTED [" + attachmentGR.sys_id + "] " + attachmentGR.getValue("file_name"));
		count++;
	}
	gs.log("*********** ENCRYPTED " + count + " ATTACHMENTS FOR " + table + " TABLE");
	return count;
  }

To write a script changing the encryption context from one context to another, access to both contexts is required.