Encrypt fields using encryption configurations

Configure Edge Encryption by defining encryption keys, assigning fields and attachments to be encrypted, and specifying encryption patterns.

To configure Edge Encryption, you must be connected to the instance through the proxy. Test all changes on a sub-production instance before making the changes to the production instance.

Define encryption keys

After setting up one or more proxies, you must configure the instance to use the encryption keys. This means entering the key alias (name), the key's size (128 or 256), and key type (file, Keystore, or Safenet) on the instance. After configuring the encryption keys, the instance verifies that the keys are available to all proxies. You cannot make an encryption key the default key unless all proxies have the key.

Assign fields and attachments to be encrypted

Assigning fields and attachments to be encrypted means assigning an encryption type to the field or attachment. Before marking a field as encrypted, evaluate these issues.
  • Determine what system features might be impacted.
  • Examine all scripts for use of the field.
  • Make any desired adjustments to the field's size. After a field has been configured for encryption, the field size cannot be changed.

Marking a field to be encrypted expands the field size to hold the extra space needed to store the encrypted data. The process of expanding the field size can take a long time depending on the number of records in the table.

Specify encryption patterns

The encryption patterns are string patterns to be replaced by tokens before being sent to and stored in the instance. You can define a string pattern or use one of the predefined patterns.

Create an encryption configuration

Select the fields to be encrypted and identify the encryption type.

Before you begin

Role required: security-admin

Procedure

  1. Navigate to Edge Encryption Configuration > Edge Encryption Configurations > Create New.
  2. Fill in the fields on the form, as appropriate.
    Table 1. Edge Encryption configuration
    Field Description
    Table The table containing the field to be encrypted.
    Type Whether to encrypt a table column or attachments for the table. Select Column.
    Column The table field to be encrypted.

    This field appears when the Type is Column.

    Encryption type The encryption type to use.
  3. Click Submit.

What to do next

After the encryption record has been added, you can create an encryption job to encrypt existing data. If you do not run an encryption job, the existing data is encrypted the next time it is changed.

Deactivate an encryption configuration

After configuring a field or a table's attachments to be encrypted, you can stop encryption by deactivating the encryption configuration. After deactivating encryption, you can run a Decryption job for fields or an Attachment Decryption job for attachments to remove the encrypted data from the instance.

Before you begin

Role required: security-admin

About this task

Warning: Deactivating an encryption configuration does not delete the encryption record and the encryption type cannot be changed.

Procedure

  1. Navigate to Edge Encryption Configuration > Edge Encryption Configurations > All.
    The Edge Encryption Configurations list is shown.
  2. Click on the encryption configuration to be deactivated.
    The Edge Encryption Configuration form is shown.
  3. Click on the Active box.
    The Active box is clear.
  4. Click Update.
    The Edge Encryption Configurations list is shown.

What to do next

You can run a Decryption or Attachment Decryption job to decrypt data on the instance. If you do not run a job, the encrypted data is decrypted the next time it is changed.

Schedule an encryption job

You can schedule a job to find and encrypt any unencrypted data in a specified field, using the default encryption key configured for the field. If you do not create an encryption job after configuring a field for encryption, the records are encrypted as they are saved to the instance.

Before you begin

Role required: security-admin

Procedure

  1. Navigate to Edge Encryption Configuration > Encryption Configurations > All.
  2. Click the field that you want to schedule an encryption job for.
  3. Under Related Links, click Schedule Mass Encryption Job.

    The Scheduled Encryption Job form is shown with all fields populated. The bottom of the form shows records for any previous job executions.

  4. Fill in the fields on the form, as appropriate.
    Field Value
    Name Enter a descriptive name.
    Active Clear this check box if you want to deactivate this job.
    Job Type Select Encryption.
    Table Select a table.
    Column Select a column.
    Run Select the period between job executions.
    Starting Enter the date and time to run the job for the first time.
  5. Click the menu icon in the form header and select Save.
  6. To see an estimated count of records to be updated, click Estimate Record Count.
  7. To run the job immediately, click Execute Now.

Schedule a decryption job

You can schedule a job to decrypt data in an encrypted field, to store clear data in the instance.

Before you begin

Note: You must mark the encryption record for the field as inactive (clear the Active box) before the decryption job runs, otherwise, nothing happens.

Role required: security-admin

Procedure

  1. Navigate to Edge Encryption Configuration > Encryption Configurations > All.
  2. Click the field that you want to decrypt.
  3. Under Related Links, click Schedule Mass Decryption Job.

    The Scheduled Encryption Job form is shown with all fields populated. The bottom of the form shows records for previous job executions.

  4. Fill in the fields on the form, as appropriate.
    Field Value
    Name Enter a descriptive name.
    Job Type Select Decryption.
    Active Clear this check box if you want to deactivate this job.
    Table Select a table.
    Column Select a column.
    Run Select the period between job executions.
    Starting Enter the date and time to run the job for the first time.
  5. Click the menu icon in the form header and select Save.
  6. To see an estimated count of records to be updated, click Estimate Record Count.
  7. To run the job immediately, click Execute Now.