Encryptik Installation Guide



Encryptik Installation Guide





Encryptik installation:

Below is the AppExchange link to download and install it in your salesforce organization.

https://appexchange.salesforce.com/listingDetail?listingId=a0N3000000B4quOEAR

To install the app, it would ask for your login credentials of the org that you would like to install. Sign in to the org as a System and install the application.

The following screen would come once successfully logged into the system, click Continue.

image1

Approve the third party access by checking the check box and click on continue.

image2

Review the Object Permissions on the next page and click Next.

image3

Select a security level. Grant access to all users is only recommended if you want your users to be able to access the application.

image4

Click Install and you’ll receive an email when Encryptik for Salesforce.com is installed in your organization.

image5

Congratulations...You have successfully installed Encryptik and ready to go!



Accessing Encryptik Setup:

There are four ways of landing into the Encryptik Setup page.

Route 1:

Go to App Setup → Installed Packages → Click on 'Configure' as shown below.

image6

Route 2:

Click on the “+” sign as shown in below screenshot and click on 'Encryptik Setup’ tab.

image7

Click on the Encryptik Setup link as shown below.

image8

Route 3:

You can directly copy and paste the following URL in new tab.

https://csenc.ap1.visual.force.com/apex/CSENC__ENCConfig - (check your salesforce instance Id)

Route 4:

Adding Encryptik to the Application tab. (Please refer the Appendix 1.0 at the end to document)

Encryptik Setup Page

Once you enter the setup page you can notice that setup module has following 3 sections in the sidebar

image9

1) Home Tab: - Contains basic information and guides you to Launch Setup.

2) Setup: - Allows you to setup Encryptik for your organization.

3) Utility: - Shows the additional utility features that Encryptik provides.


Lets go for setting up the application by clicking the Setup.


Key Setup:

This tab is to setup an encryption key that would be used to encrypt and decrypt the data. The key can be set as an Auto key or a Manual key.

This is one time setup option and once done the key cant be viewed or deleted

The key is saved in a protected custom setting object that is to all (including the administrator or by salesforce support staff).


image10

Auto Key: This key is generated using AES algorithm of size 256. (Please refer Salesforce Crypto class)

Click on Auto Key button to setup the auto generated key. Once you click on this button, a confirmation popup would come and once you confirm an auto key will be generated.

image11

Note: Click on Reveal Key button will reveal the auto-generated key. This is only time you can view/save it in a secret place. At later stage the key reveal option wouldn't be available for the admin as well.

image12

Manual Key: To setup Manual Key just click on “Manual Key” then enter the key text as per the policy shown in the right side. Click on Submit button.

image13


App Setup:

Remote Site Setup: By clicking on the right top button "Remote Site Setting" you can setup the remote site settings, which is required by the application.


Once you click on the Remote Site Setting button, you will see the popup as shown in the below screenshot.

image14

  • Click on the link 'Click here' inside the popup that would allow you to setup the Remote Site Settings in a new tab.

  • Make sure you have created two remote site settings using the Remote Site URL 1 and Remote Site URL 2.

image14


Customizing Home Page Layout:

To process the decryption you need to enable the home page component in the home page layout as shown below.


image15

image16

image17


Organization Level Configuration:

Organization level configuration record will be automatically created by the application. Click on ‘Manage’ to edit the settings.


image18

On click of Manage will open the popup as follows -


image19

  • Is API Enabled: You can access the Encryptik app using SOAP and REST services.

  • Is Active: Indicates that Encryptik is active. If this is checked then data will be encrypted, if unchecked then data will not be encrypted in database. You can turn ON and turn OFF the Encryptik application with this checkbox.

  • View Encrypted Data: Indicates that you can see the data in encrypted format. If unchecked, you will able to see the data in decrypted format even though data inside database is encrypted.

  • Save Configuration: If Checked, during the validation process (See point 4 to understand validation process), you will receive the configuration backup file link via email. You can directly upload this file in “Utility” tab “Config Import”.

Once you configure the Application Setup, click on Save.



Profile/User Level Configuration:

Using this option, you can setup the Encryptik for particular profile or user.


image20

On click of ‘Add’ button, a pop will be opened and allows you to configure for new profile or user.


image21


Object Setup Tab:

Click on the object Setup tab to configure Encryptik for new objects or to change the existing configuration on the object.


image22

  • New: Click on New to configure Encryptik for new object.

  • Manage: Click on Manage link to edit the existing object’s configuration.

On Click of New You will be redirected to the below screen and enter the object name in the search bar and select the same object from dropdown as shown in below screenshot.


image23

All fields of the object would be listed to choose for encryption.


image24

Check the field(s) to be encrypted/tokenized and choose the appropriate encryption/tokenization scheme as per the field data type.

  • I agree for the backup: This will send you the backup file via email, before the configuration is applied. It is always good to have your data up before the application encrypts your data.

  • Encryption Scheme: By default the applicable encryption/tokenization schemes for the data type are shown in the picklist. You can choose any encryption scheme that you need. Scheme detail information available in the Appendix2.

  • Is Searchable: Though the data is encrypted, still you can search the record using the Custom Search Page (Search Page available in Utility tab of the app).

  • Direction & Scale: Setup the direction and Scale if you want to encrypt only particular characters in the field text. If you specify direction as left and scale as 3, then only first three characters from left will be encrypted, remaining characters will remain same. You cannot setup direction and scale for the fields that are searchable.

  • Validate: This will not encrypt/decrypt the data but will just validate whether encrypt/decrypt is possible for the selected object fields. Validation results will be sent via email. If validation is successful then you may proceed with “Validate & Submit”. It is recommended to do a Validate before applying the changes.

  • Validate & Submit: This will validate first and then encrypt/decrypt all the data available in the org for the selected object configured fields.

  • Configuration Setup: With Configuration setup, you can set up trigger and add pages. Detail explanation as follows


Trigger Setup:

The application would provide you a trigger code snippet that has to be added by the admin to start the configuration. This is a one-time activity by the admin. This trigger will help to encrypt the configured fields whenever a new record is created or updated the existing record.


Note: Trigger setup is recommended but not mandatory if you are using any custom controller to save the data. Instead, you can use Encryptik global service methods and APIs.


Click on the Configuration Steps as shown below. On click of this button you can do two things inside this. One is trigger setup and other is visualforce page setup.


image26

If there is no trigger available for that object currently, then click on the Add Trigger button. Onclick of this button, a new trigger will be added to this object internally.


image27

If there is an existing trigger on the object, you can update the existing trigger by adding the following code snippet to your existing code. It is highly recommended that to use one trigger for one object.


If(Trigger.IsBefore && (Trigger.IsInsert || Trigger.IsUpdate)) CEENC.ENCServices.encryptSObjectList(Trigger.New);


Add the above line of code to the end of the existing trigger body.



Visualforce Page Setup:

Click on Add pages button to create visual force pages that will automatically override the standard default actions (view, edit, clone, tab) for the selected object with Encryptik component configured.


image28


File Encryption Component:

Click on Add File Encryption Component button to create visual force page for the selected object with ENCAttach component configured.


image29

Steps to add file encryption component page to detail page layout:

  • Once the page is created with “ENCAttach” component, Go to the object for which you have created the “Add File Encryption Component” and click on “Edit Layout”.

  • Create a section to add the file encryption component visualforce page.

  • Click on visualforce pages, Page name looks like ENCSelectedObjectFileEncryption(For eg : if selected object name is Account then page name will be “ENCAccountObjectFileEncryption”).

  • Drag and drop the page into the section created and click on the save button.





Utilities

The utility tab contains seven sections.

  • Import Configuration

  • Export Configuration

  • Deploy Configuration

  • Data Export

  • Search

  • Query Explorer

  • Update Pages


Import Configuration:

This section is not for importing object data but only for importing configuration.

image30

On click of Import CSV button, you should be able to import/upload the Encryptik configuration csv file from another organization, if you already have a exported Encryptik configuration file.

image31

Validate: Validate will not alter any data but will just validate and send a report to the administrator.

Validate & Submit: Validate and Submit will first validate the data and then make the changes to your data as per the set configuration. The data will be encrypt/decrypt according to the configuration.


Export Configuration:

This section is not for exporting object data but only for exporting configuration. The Export wizard allows you to export the entire setup configuration from your organization as PDF or .csv file. After exporting the configuration the import utility can be used to import the entire configuration from one org to another.

image32


Deploy Configuration:

This section allows you to migrate the Encryptik configuration to another organization where Encryptik is already installed.

image33

Enter the login credentials and you will be redirected to below screen where you can validate and deploy the configuration into the target organization.

image34


Data Export:

This section is for exporting the Encryptik configured object data that are kept encrypted in a clear text format. Click on the Data Export and you will get the list with Encryptik configured objects.

Select the object and click on Export.

image35

You can also Schedule the Export using “Schedule Export” button. Just click on “Schedule Export” button and you will be redirected to the below screen.

image36


Query Explorer:

On click of this link from the utility tab, the query explorer will open in the new tab. This query explorer can be used for only Encryptik configured objects.

Select the object, fields and click on Execute. Scroll down to see the results.

image38


Update Pages:

On Click of this link you will able to see the list of visualforce pages

image39

You can select the pages and click on ‘Update’ to add the Encryptik Component to existing visualforce pages that are not part of any managed package. This will help to integrate the Encryptik application with your existing custom applications.


Decryption Setup

Encrypt/Decrypt Access restrictions:

Admin has option to setup users and profiles to restrict users to view the encrypted data.

By default, all users get to view the decrypted data unless setup in the configuration.

Admin needs to do the following to restrict the access.

  • Go to App Setup → Develop → Custom Settings

  • You will see the Encryptik “App Settings”. Click on Manage.

  • Manage would give the following details.

  • The default organization level value is set to view encrypted data to false. The admin can change the settings as per their business needs.


Appendix

Adding Encryptik as an App:

Follow the below steps to add the Encryptik to the custom application tab. Click on Setup → App Setup → Create→ Apps → New

image40

Click Next→ Next→ Select the Encryptik Setup→ Click Next

image41

Select the Profiles that Encryptik should be available

image42

Click Save.

Now you can find the Encryptik App in your right hand side bar.

image43

Select the Encryptik and click on the ‘Encryptik Setup’. You will be redirected to the Encryptik setup page.





To create a search link on the home page:

Go to Setup→ App Setup→ Home→ Home Page Components→ Click on Edit behind the Custom links

image44

Add the bookmark as Encryptik Search and URL as /apex/CSENC__ENCSearch and click save.

image45

Go to Setup→ App Setup→ Home Page layout→ Edit→ Check the Custom links

image46

Now click on the Home tab and you can find the custom link showing the Encryptik search in your home tab.

image47


Generate Audit History Using ENC Audit Report:

Go to Reports tab→ Click on the Enc Audit Reports

image48

Click on Encryptik Audit History

image49

Once you click on Encryptik Audit History, you should able to see the ENC Audit Report as shown in the below screenshot.

image50


Schemes details

Encryption Schemes:

SCHEMES FUNCTION
Text Type-1 Encryption Scheme String encryption using AES256 Crypto.EncryptWithManagedIV().
Highest level of encryption.
Generates encrypted text which contains minimum of 48 characters Scheme can’t be applied to fields less than 50 characters in length Fields with 80 character length can only enter 45 characters of data Fields with 255 character length can only enter 170 characters of data Not Searchable
Text Type-2 Encryption Scheme String encryption using AES256 Crypto.Encrypt().
Applicable for fields less than 50 characters.
Generates encrypted text of minimum of 28 characters Is Searchable
Token Encryption Scheme This is applicable to string having separators (,-) etc and want to preserve it.
For example ABC,XYZ will be encrypted as XXX,XXX wherein the , is not encrypted and is kept intact Suitable for fields having “,” separated data that needs to be kept intact.
URL Encryption Scheme URL Encryption scheme Retains the URL details like WWW and .COM of the URL string.
Phone/Fax Encryption Scheme For Phone/Fax Data types

Tokenization Schemes:

SCHEMES FUNCTION
Email Tokenisation Scheme For Email data types Tokenisation done to the email preserving the domain name
Text Tokenisation Scheme Applicable for fields size with 24 characters and less.
Tokenisation uses 4 more characters in addition to the actual data length. E.g. Fields with 24 character length can only enter 20 characters of data.
Percent Tokenisation Scheme Tokenisation scheme for Percentage data types.
DateTime Tokenisation Scheme Handles DateTime data types.
Date Tokenisation Scheme Handles Date data type.
Double Tokenisation Scheme For Double and Currency data types.
Numeric masking Tokenisation Scheme For numeric data types wherein the length is fixed Used for specific fields where the data comes in the same length and it can’t be increased.
Text masking Tokenisation Scheme For text data types wherein the length is fixed Used for specific fields where the data comes in the same length and it can’t be increased.
Frequently Asked Questions
+Why should I set the key for the Encryptik app?

The key is the important aspect of the application. This is the first thing the administrator needs to setup as part of the application setup. The key is a vital component as its used for the encryption as well the decryption of data.

+The key is used for what purpose?

Encryption and Decryption required this key, without which the data can’t be encrypted or decrypted.

+Do I have the option to change the key?

No, currently the application does not support or re-generating the key. The key once generated for a particular org will be there for its lifetime.

+What is the security issues if I reveal the key to others?

None, as the application after encryption of data with the generated key also masks the encrypted data because of which anyone having only the key would be unable to decrypt any information as there is an additional security of masking added to the encrypted data.

+What will happen if I forgot the key or misplaced the key?

As said earlier, key is generated only once and kept in a protected custom settings which can’t be updated or deleted nor retrieved. You need to keep the key information securely as it can’t be regenerated or viewed later.

Once the key is generated and set, the application only understands to interact with the key and within the same org, it does not ask again to revalidate at any point of time.

+What is the chance of key hacking from the salesforce database?

The key is saved in a protected custom settings wherein any administrator or salesforce support are restricted to query this object. So technically it can’t be viewed by anyone. In addition to that, application encrypts the key twice before storing which leaves out any room of key been hacked.

+What is the difference between an auto generated key and manual key?

When the key is generated auto, using the AES 256 protocol a highly secured key is generated. In addition to that one more internal key is generated which combines together to form a secure key for encryption and decryption.

Similarly for the manual key generation option, likewise one more internal key using the same AES 256 protocol is generated which combines together to form a secure key for encryption and decryption.

So to summarize, both the keys are secured and doesn’t matter if you choose manual key generation or auto key generation.

+Can I store the key in my own database?

Yes, you can do that. But you need to ensure that the application has access to this database and also it should be available all times for the smooth functioning of the encryption and decryption.

+Does Encryptik supports all data types?

Except Geolocation and Multi-picklist, Encryptik supports all other salesforce data types.

+Does Encryptik supports any third party data loader ?

Encryptik supports third party data loader like Dataloader.io.

+ What happens to the data when I wish to uninstall the application?

Before uninstalling the application, all the data needs to be decrypted back else the data would be in encrypted format and you cannot get your data back after the application is uninstalled.

Encryptik provides various options for decryption wherein the data can be decrypted and you get your original data back.

The various options are Encryptik Data Export, Encryptik query explorer and also via disabling the configuration settings.

+ Why string tokenisation needs additional 4 characters?

The additional 4 characters are generated for any data that uses string tokenisation as they store some information that is required during decryption of data.

+For 255 text area if some records have 252 characters stored in it, will the encryption work? If not, Why?

Encrypted data is always longer than the actual data.So, for a 255 text area the actual data of 170 characters only can be stored.

+What is the highest level of encryption within the encryption schemes?

Text Type-1 encryption scheme is the highest level of encryption available.

+Does "Is Searchable option" in the configuration should be always selected for encryption to work?

No, Is searchable is a feature which we are providing if you want that field data to be searchable after its encrypted.

+ If the administrator deactivates the trigger, what will happen to the data inserted after the deactivation?

If the trigger is deactivated then the records inserted after that will be in plain text format. To encrypt these data, all those records needs to passed to the ENCServices which will return the records with encrypted text.

So we recommend that the Encryptik trigger is not touched after the setup. If the trigger is deleted or made inactive the application won’t be able to automatically sync the object.

+Can I change the earlier configured schemes for a field to a different one? What will be the impact on the records?

Yes you can change the scheme for already configured field. Records will be automatically updated according to the new configuration.

+We have some major implementation happening involving some data migration into salesforce from other systems? How can I temporarily DISABLE encryption?

You can temporarily disable the Encryptik app when you turn off “ Is Active” checkbox which is provided in the setup page.

Once you are ready to activate again, just turn on “ Is Active” checkbox and the existing data would be automatically reconciled as well.

+Can I keep some data encrypted and some data decrypted in the same object as some records are created by specific sales rep who deals with high profile clients?

Yes, you can. There is an additional condition that needs to be added to the triggers and the VF pages but it can be achieved using the Encryptik application.

The only limitation is, only encryption schemes should be used. No tokenisation schemes should be used.

+There are production support profiles and I want these profiles to see only encrypted data as they are vendors who provide support to the system? They need not see the production data? Does Encryptik supports this scenario?

The key is saved in a protected custom settings wherein any administrator or salesforce support are restricted to query this object. So technically it can’t be viewed by anyone. In addition to that, application encrypts the key twice before storing which leaves out any room of key been hacked.

+What is the chance of key hacking from the salesforce database?

Yes, Encryptik application very much support this. You just need to add the Read Only Or Production Support profile to the Custom Setting and set the field "View Encrypted Data" to TRUE.

+What will happen to data that are imported to the salesforce database via Dataloader or any other ETL tool? Will those data be encrypted or need some manual process to encrypt this?

For importing data using any of the ETL tools or Dataloader a make sure the object where the data is getting imported the trigger should be active which will automatically encrypt and save it in database.

+There is requirement form the compliance to get some information for some specific data that are stored in encrypted format within the database? Need to run some adhoc query to view and analyse this data ? Is it possible to run custom queries on the encrypted data?

Encryptik Query Explorer can be used to run any custom queries to access the actual data.

+I wanted to do generic search on the encrypted data ? Is it possible?

Yes, Encryptik application provides a VF page (similar to the Salesforce Search page) where you can search any text. The text will be Salesforce Search page) where you can search any text. The text will be configured objects. The search page can be placed in the home page sidebar. Search operation exposes as web services as well, where usercan write their own custom search page.

+Is sort supported for the encrypted data ?

Sorting is not currently available .This is in roadmap where the data shows in a JS/HTML table where you can apply the sorting, filtering and many other features.

+Our organization uses some managed packages from the AppExchange? These packages have VF pages which pulls information form the database. Can we integrate Encryptik within these pages to view the decrypted data ?

Managed packages Components (VF Pages, Components, Classes, Triggers) can not be overridden. Encryption can happen as it happens in the database level (as new trigger can be created for a managed custom object). But to see the decrypt data the app provides a component called which needs to injected to the VF pages. The alternative solution to support the managed package to see the clear original data is to use of home page component or browser extension.

+Can I create or schedule reports that access encrypted data ? Reports generated should be in decrypted format as this reports are MIS reports to be sent to the management?

The app provides "Query Explorer" utility which facilitates to build query on the fly and then provides the clear data on on the screen (just like reports). The same query can be scheduled for future run and can be notified to user(s).

+Can I do periodic backup of the objects (data is kept encrypted) as these are sensitive data and we need to archive these data periodically?

The application provides "Data Export" utility, where you can export the data immediately. It can be scheduled for future export as well. Data export happens in the background, all data will be exported to a csv file and stored in Document inside the salesforce org. The user will receive an email as soon as the data export job is completed.

+ I need to Export the objects which are currently marked as critical and have data stored in encryptik format?

The application provides "Data Export" utility, where you can export the data immediately. It can be scheduled for future export as well. Data export happens in the background, all data will be exported to a csv file and stored in a document inside the salesforce org. The user will receive an email as soon as the data export job is completed. Apart from this, the app provides "Query Explorer" which provides data on the screen and can be exported into CSV file. But it is recommended to use if you have a small data set (less than 10K records).

+ I need to encrypt an entire object as Compliance wants the entire object to be kept encrypted? So rather than choose each fields, do you just an option to select the Object?

We are not providing this now, if this is needed then we can put an option while selecting fields to configure we can provide select all option so that all fields are configured(Which is similar to entire object encryption). The reason of not providing "Select All" option is to make sure the admin is configuring the fields, schemes carefully by looking into the data type and size restriction. Also, "Select All' will impact the performance of the application.

+Can I manually run sync on any particular object ?

App does not provide any direct/manual sync. But there is an alternative way to sync the data for one object. Admin can go to config page, deactivate all the fields (which converts all the encrypted data to clear original data). Then activate fields again will sync the data for that object(converts all the clear data to encrypted data).

+ Our organization have customised our salesforce enterprise and have many custom application built via our team. Does Encryptik application supports our custom application?

Yes, Encryptik application supports all custom application built using VF page and Apex class. For more information, check the "How to integrate and implement custom application" document.

+For integrating Encryptik with custom application do we need a major implementation?

Yes and No, as it depends on how the data comes in /goes out of salesforce database. If your custom application does not depend on any encrypted fields, then you no need to do any changes. If it uses any encrypted fields, then you need to change your code.

For VF page changes, the app provides a utility which will add one component after automatically. Even you can add this component manually to any VF pages. For apex class, you can use global service methods like encrypt, decrypt & query to do any operation. Also, the app comes up with robust APIs (both Rest/Soap) where you can integrate. Check the API integration document for more examples & other information.



Keep In Touch

Are you ready to start your project? Give us a call or drop us a line.

Our Location

CEPTES Software Pvt. Ltd.
Unit 519A,2nd Floor, Beta Block,
Sigma Tech Park,
Whitefield Road,
Bangalore - 560066,
India

Send a mail

contact@encryptik.com

Call us

+91-80-40901082