Custom Field Admin - Encrypted Short Text Box

Encrypted Short Text Box custom fields are available in User Record Custom Fields. Any fields created in this field type are stored and encrypted via a secure encryption protocol. These fields are not accessible by any individuals who do not have the encryption key to access the data. This field type can be used to store sensitive user information, such as social security numbers.

The Encrypted Short Text Box custom field is a short text box with the ability to input alphanumeric values, up to 50 characters. As with other custom field types, these fields can have a set availability.

Encrypted custom fields can be encrypted and sent securely via an outbound data feed.

When entering values for an encrypted custom field, the values being entered are visible until the field is saved. Upon saving the field, the value appears as asterisks (e.g., ******).

When viewing an encrypted custom field within the system, the custom field values appear as asterisks (e.g., ******).

When editing an encrypted custom field, users cannot make partial edits to an existing value. The previous value is removed completely when the field is edited. Upon saving the field, the new value appears as asterisks (e.g., ******).


Inbound Data Feeds do not support encrypted custom fields. An inbound data feed cannot be set up to send data to be encrypted for these fields.

The Data Load Wizard User Load does not support encrypted custom fields.


The availability of this functionality is controlled by a backend setting and is available by request.

Organizations must create their own public and private keys in order to use this functionality. Usually, the organization's IT department can assist in creating and distributing the public and private keys.

Organizations must provide Cornerstone OnDemand with the public key certificate that is used for encryption in order to have the functionality enabled for their portal. The public key certificate is stored in the organization's database.

Public key certificates must be provided as a file in .crt format.

Once a field is encrypted, Cornerstone OnDemand cannot decrypt any data that is entered.


Cornerstone OnDemand uses RSA encryption to encrypt the UTF8 encoded alphanumeric text that is entered in the encrypted custom field. RSA encryption involves a public key and a private key. The public key can be shared and is used for encrypting messages. Messages that are encrypted with the public key can only be decrypted using the private key.

There are multiple ways to generate the public and private keys. Organizations should work with their IT departments to determine the most appropriate way to generate the keys. Cornerstone OnDemand does not support the creation or distribution of public or private keys.

Encryption can only be performed once a public key certificate is added to the organization's system.


Encrypted custom fields are visible in the following areas:

Page User/Admin Write/Read Only
User Record Admin Write
Requisition Preferences Admin Read Only
Applicant Profile User Write
My Account User Write or Read Only
My Account Preferences Admin Write
Analytics Admin/User Read Only

Encrypted Fields in Outbound Data Feeds

Organizations are able to create a report or schedule an outbound data feed via Analytics, which can contain encrypted values for any encrypted fields included in the feed. In addition, custom outbound data feeds can be created via work order by request, which can contain encrypted values for any encrypted fields included in the feed. The encryption allows only users with the decryption key to decrypt the data for these data feeds.