function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

Encryption of Attachments

Has anyone done encryption of attachments using crypto class?  What we want to do is encrypt attachments to all users and give only specific users to decrypt.  Can someone share their code?  I am new to this functionality and I would like to get some sample codes to get me started.  Unfortunately, I can't find a whole lot of this use case here.  And the sample codes provided here doesn't help me much either. 


Any info is appreciated.  





I've done encryption in general, and here's how I might go about it using the Crypto class:


1) Custom setting that stores a key.

2) Trigger that encrypts attachments on insert.


trigger encryptAttachment on Attachment (after insert) {
    EncryptionKey__c keySetting = EncryptionKey__c.getOrgDefaults();
    Blob aesKey;
    if(String.isBlank(keySetting.aeskey__c)) {
        keySetting.aeskey__c = EncodingUtil.base64Encode(Crypto.generateAesKey(256));
        upsert keySetting;
    aesKey = EncodingUtil.base64Decode(keySetting.AesKey__c);
    for(Attachment {
        record.body = Crypto.encryptWithManagedIV('AES256', aesKey, record.body);

3. Create a controller that can decrypt an attachment (note, security check for authorization not included):


public with sharing class decryptAttachment {
    public Id attachmentId { get; set; }
    public decryptAttachment(ApexPages.StandardController controller) {
        attachmentId = controller.getId();
    public PageReference decryptAttachment() {
        Document d = new Document();
        d.FolderId = UserInfo.getUserId();
        Attachment a = [SELECT Id, Name, Body, ContentType FROM Attachment WHERE Id = :attachmentId];
        d.ContentType = a.contentType;
        EncryptionKey__c keySetting = EncryptionKey__c.getOrgDefaults();
        Blob aesKey = EncodingUtil.base64Decode(keySetting.AesKey__c);
        d.Body = Crypto.decryptWithManagedIV('AES256', aesKey, a.Body);
        d.Name = a.Name;
        insert d;
        return new ApexPages.StandardController(d).view();

4. Create a page that can be used with the controller:


<apex:page standardController="Attachment" extensions="decryptAttachment" action="{!decryptAttachment}"></apex:page>

5. Create a VF page that lets users decrypt attachments by selecting one from a list (not included for brevity).


I use a Document that I'll store in the user's private document folder (My Documents), which is inaccessible to any other user. We can delete the attachment later after its been downloaded by the user to reclaim used space (I'd say probably an hour or so).


This is about 75% of what you need, the rest is just a page and some more logic.

David Cheung 7David Cheung 7
Great stuff, like it.