Encrypt an existing field

Create an encrypted field configuration to encrypt the value of an existing String or URL field using Encryption Support.

Before you begin

Role required: security_admin

About this task

Encrypted field configurations created to encrypt other field types can be deleted. Make sure to run a mass decryption before deleting an encrypted field configuration.

Procedure

  1. Navigate to System Security > Field Encryption > Encrypted Field Configurations.
    The Encrypted Field Configurations table [sys_platform_encryption_configuration] contains a record for each field encrypted with Encryption Support. You can manually create encrypted field configurations to encrypt existing String and URL fields.
  2. Click New.
  3. Complete the form.
    Field Description
    Table The table that contains the field to be encrypted.
    Column The field to be encrypted. Only string and URL fields are supported.
    Method
    • Single Encryption Context: Enables data to be encrypted with a single encryption context only. The field is encrypted with the encryption context defined in the Encryption context field. Users that do not have the encryption context cannot view or update field values.
    • Multiple Encryption Contexts: Enables data to be encrypted with more than one encryption context. The field is encrypted by the encryption context of the first user to enter data. If the user has multiple encryption contexts, the context defined in the encryption context selector is used. Because the encryption context is set on a per record basis, fields in a list can have different encryption contexts. However, within a single record, the field can be encrypted by only one context.
      Note: Mass encryption is not available when using the Multiple Encryption Contexts method.

    After a configuration is created using the single encryption context method, you can update the record to use multiple encryption contexts. However, you cannot change a field using multiple encryption contexts to use a single encryption context.

    Encryption context The encryption context for the encrypted data. Only visible when Single Encryption Context is selected in the Method field.

    Once an encrypted field configuration is applied to a field using the single encryption context method, you cannot change the encryption context.

    Note: To change an encryption context of an encrypted field configuration, run a mass decryption to decrypt the data, delete the existing encryption configuration, then create a new encryption configuration.
  4. Click Submit.

Result

New values added to the encrypted field are encrypted with the corresponding encryption context. If the multiple encryption contexts method is selected in the encrypted field configuration, each record is encrypted with the context of the user that enters the data.

What to do next

If using the Single Encryption Context method and data exists in the field that you want to encrypt, open the encrypted field configuration record and select Run mass encryption to encrypt existing values.