Encryption support

Encryption is a process that scrambles information into a format that unauthorized parties cannot decode or use.

Users who have access to the encryption context can see data encrypted with that particular encryption context. The encryption process requires an administrator to grant an encryption context to users by granting the user an associated role.
Note: Impersonation does not change the encryption contexts available to a user. Even while impersonating, you have only the encryption contexts available to you originally.

After encryption, text fields and attachments are no longer accessible by database tools and cannot be indexed. In addition, users cannot add encrypted fields to a filter. You can encrypt all String fields, including fields provided by default in the system and new fields that you create in the dictionary.

Users with the admin role can activate the Encryption Support plugin.

Access to encrypted data

A user's encryption context determines access to encrypted data.

Access level Data visibility
User with no encryption contexts The form hides the encrypted field.
User with one encryption context The user automatically uses their encryption context with encrypted text fields.
  • If there is no data in the field: The form displays the encrypted field (assuming UI policy does not prevent it). Users with any encryption context can see empty encrypted fields. Entering data in the field causes the encrypted fields to use the currently selected encryption context to encrypt the data.
  • If there is data in the field: If the user has access to the matching encryption context, the form displays the encrypted field.
User with two or more encryption contexts The user can select an encryption context from the selector in the welcome bar.
  • If there is no data in the field: The form displays the encrypted field (assuming UI policy does not prevent it). Users with any encryption context can see empty encrypted fields. Entering data in the field causes the encrypted fields to use the currently selected encryption context to encrypt the data.
  • If there is data in the field: If the user has access to the matching encryption context, the form displays the encrypted field. The encrypted field always uses the original encryption context to encrypt changes to the field. This prevents users with multiple encryption contexts from changing the encryption context of a field.
Note: A lock icon appears next to the field label to indicate an encrypted field. If a user has access to the encryption context, pointing to the icon displays the name of the context used to encrypt the field.
Encrypted text fields lock icon