Edge Encryption limitations

Edge Encryption impacts system functions. Carefully evaluate the impact of encrypting a field.

Field type restrictions

Restrictions on encrypting field types.
  • Only string fields can be encrypted. Choice fields, virtual fields, journal fields, and any fields other than string fields cannot be encrypted. See Field types for more information.
  • String fields that include more than five multi-byte characters cannot be encrypted.
  • Fields in system tables, except for certain fields in sys_user, cannot be encrypted.
  • System fields in tables cannot be encrypted.
  • Fields named "number" and fields associated with an auto-numbering scheme cannot be encrypted.
  • Encrypted fields are not available in Go to and header filter boxes.
  • When encrypting fields used as an index, only order preserving and equality preserving encryption types can be used. Indexed fields cannot be encrypted using the standard encryption type.

Configuration restrictions

Restrictions and behavior of encryption configurations.
  • After a field has been added to the Edge Encryption Configuration table, the configuration record cannot be deleted. If you no longer want a field to be encrypted, deactivate the record in the Edge Encryption Configuration table, and schedule an encryption job to decrypt the data.
  • If a field in a parent table is marked to be encrypted, the field in all inherited tables is also encrypted. For example, if the short description field in the Task table is encrypted, then the contents of the short description field in the Incident table are encrypted.
  • If a field inherited from a parent table is marked to be encrypted, the field in the parent table cannot be encrypted. For example, if short description in the Incident table is marked to be encrypted, then short description in the Task table cannot be encrypted. In the example, you can encrypt the short description in the Problem table.
  • When a field with an encryption configuration defined is exported to any format, the output includes encrypted values even when exported through the proxy server. Importing data to a field with an encryption configuration defined is not supported.

Instance restrictions

Impact of using Edge Encryption on the instance.
  • Back-end logic cannot process encrypted data. When the instance contains encrypted data, any business rule, back-end script, or back-end feature that relies on evaluating the data in the encrypted field does not run correctly.
  • Scripts run on the server cannot change encrypted data.
  • Global search is not supported. Because global search attempts to search both encrypted and clear text data, the results may not be what the user expects.
  • Encrypted data cannot be copied to a record where the field is not encrypted.
  • Depending on the type of encryption selected, the user interface functionality for the encrypted fields is reduced. For example, being able to compare, group by, sort, and search may be impacted. Generally, the stronger the encryption selected, the more functionality is reduced.
  • Other than file store, Java KeyStore, and SafeNet, no third-party software, or hardware encryption key management is supported.
  • While multiple encryption proxies connected to a single instance are supported, encryption proxy cluster management and monitoring are not available. Each proxy must be managed separately.
  • There can be a performance impact to encrypting fields. System configuration can affect the performance, workload, and the number of fields encrypted.
  • The Edge Encryption proxy server can only connect to a single instance
  • If your instance uses an Oracle database and the string field you are marking to be encrypted is greater than 2925 characters, that field cannot be sorted even when order preserving encryption is selected.
  • If your instance uses an Oracle database, Unicode AL32UTF8 is the only supported character set.
  • Encrypted values included in emails are encrypted.
  • Encrypted data cannot be used in reports.

Integration restrictions

Restrictions on data integrations with Edge Encryption.

  • Attachments uploaded via REST or SOAP cannot be uploaded to tables marked for attachment encryption.
  • Importing data from or exporting data to Excel, CSV, XML, or other file types to or from fields with encryption configurations defined is not supported.