Field-Level Encryption for Sensitive Data

Expert

Encrypt sensitive field values individually using CryptEncrypt and CryptDecrypt for data that must stay protected even from privileged users.

What you'll learn

  • FileMaker's CryptEncrypt and CryptDecrypt functions
  • Choosing an encryption key management strategy
  • Trade-offs of field-level vs. database-level encryption
  • Practical patterns for encrypting PII in FileMaker

Database-level encryption protects the file at rest. But what if you need to protect specific field values from users who have access to the file -- including developers? Field-level encryption using CryptEncrypt/CryptDecrypt lets you store values that only users with the correct key can read, even if they have full access to the table.

1/4
1

CryptEncrypt and CryptDecrypt

FileMaker 19+ includes `CryptEncrypt(algorithm; key; data)` and `CryptDecrypt(algorithm; key; base64EncodedData)`. The result of CryptEncrypt is a Base64-encoded encrypted string suitable for storage in a text field. Use AES-GCM-256 for the algorithm.

FileMaker Script
// Encrypt an SSN before storing
CryptEncrypt ( "AES-GCM-256" ; $encryptionKey ; Contacts::SSN )

// Decrypt when displaying to authorized users
CryptDecrypt ( "AES-GCM-256" ; $encryptionKey ; Contacts::SSN_Encrypted )
SQL Injection Risks in FileMakerMulti-Factor Authentication for FileMaker

Sign in to track your progress and pick up where you left off.

Sign in to FM Dojo