1. Feature Overview
LeadSquared’s Field-Level and File-Level Encryption (FLE) enhances data security by encrypting sensitive information at the individual field level. This ensures that critical data, such as identification numbers, attached documents or financial details, remain protected from everyone outside your organization.
This feature enables secure storage and access to sensitive data across Leads, Opportunities, and Activities. Encryption can be applied to both system and custom fields, as well as Lead CFS. Additionally, LeadSquared supports Bring Your Own Key (BYOK) through AWS Key Management Service (KMS), allowing organizations to manage and control their own encryption keys for advanced security and compliance.
Example
Suppose your sales team collects customers’ PAN Numbers and Bank Account Details in LeadSquared. With Field-Level Encryption enabled, when a PAN Number like ABCPD1234F is entered, it’s stored encrypted (e.g., M7p9aZ1Qw==).
2. Prerequisites
- Field-Level Encryption is not available by default. Reach out to support@leadsquared.com to get it enabled.
- You must be an Admin to configure Field-Level Encryption.
- If you’d like to control your own Encryption Key instead of generating from LeadSquared directly, you can get it through AWS Key Management Service (KMS).
3. How It Works
- The admin configures the Encryption Key in the Key Management page and selects the fields to be encrypted in the Web App Settings.
- When a user enters data into an encrypted field (including fields in Leads, Opportunities, or Activities), the CRM automatically encrypts the data before saving it.
- The encrypted value is securely stored in the database or storage system.
- When user accesses the record, LeadSquared decrypts the data using the configured encryption key (including BYOK if enabled via AWS KMS).
4. What Can Be Encrypted
Field-Level Encryption can protect the following types of sensitive data (non-exhaustive list):
Full Name, Phone/Mobile, Email, Address, PAN, Aadhar, ABHA, DL, Voter ID, SSN, Passport, Bank & Credit Card Info, Vehicle Plate Number, etc.
| Entity | Maximum Fields | Supported Fields & Data Types |
| Lead / Object | 10 fields per type | System Fields: First Name, Last Name, Phone, Mobile, Email, Facebook, Google Plus, Google Talk User, LinkedIn, Latitude, Longitude, Skype Name, Twitter
Default Custom Fields: Address 1, Address 2, City, State, Country, Zip, Job Title, Company Custom Fields: Text, Number, Email, Phone, Date, CFS |
| Opportunity | 10 fields per type | Custom & CFS Fields: Text, Number, Email, Phone, Date |
| Custom Activity | 10 fields per type | Custom & CFS Fields: Text, Number, Email, Phone, Date |
| Sales Activity | 10 fields | Custom Fields: String, Number, Date |
| File | Maximum File Size: 2 GB | All file types |
5. Field-Level Encryption Settings
To access Field-Level Encryption Settings, navigate to Settings>Data Management & Privacy>Field Level Encryption.
5.1 Key Management
Once Field-Level Encryption is enabled, the admin can configure the encryption by entering an Encryption Key which can either be directly generated from here or be imported from any Key Management System. This key is used to convert data (like a customer’s phone number or ID) into unreadable encrypted text when stored in the database, and to decrypt it back into readable form for authorized users.
5.1.1 Key Generation
If you select the Generate Key option, then the Encryption Key will be automatically generated. If required, you can change the key periodically by clicking the Rotate Key option. Once you update the new key, the ability to make changes to the key will be restricted for 90 days.
5.1.2 Key Import
if you select the Import Key option, you can Bring Your Own Key (BYOK) through AWS Key Management Service (KMS) copied from AWS Key Management Service (KMS) and click Import Key. If required, you can import a new key periodically by clicking the Import Key option. Once you update the new key, the ability to import a new key will be restricted for 90 days.
5.2 Encryption Key History
View a log of all the updates that were made to the encryption key. Here you can see –
- Key Version – The version of the key based on the number of times it was updated
- Created Via – The method through which the encryption key was entered
- Key Generation – Either Key Generation or Manual Key Rotation
- Key Import – Import
- Created On – The date and time when the encryption key was created
- Created By – The admin user who created the encryption key
5.3 Encrypted Fields
View the Lead, Opportunity and Activity fields marked for encryption in dedicated tabs. The tabs contain grids with the following details –
- Field Name – Name of the field
- Schema Name – Unique identifier assigned to a field
- Field Type – Either Custom or System (specific to Lead Fields)
- Data Type – Text, Number, Email, Phone or Date
- Encryption Status – Either Encrypted or Queued for Encryption (Encrypting)
6. Select Fields to be Encrypted
After configuring the Encryption Key, the admin must select the relevant Lead / Object, Lead CFS, Opportunity and Activity Fields to be encrypted from the Web App Settings.
Note:
- There is a hard limit of 10 encrypted fields per Lead / Object, Opportunity, or Activity Type. If you attempt encrypt a field on reaching this limit, you will face an error.
- When you enable encryption for an existing field, the system creates an encryption request that will be processed in the background. However, for newly created fields, encryption is applied immediately once you select the Encrypt Field option during field creation.
- File Level encryption is supported only for the files stored in LeadSquared storage and it is applicable only to the files uploaded to CFS and Attachments after the enabling the encryption.
6.1 Encrypt a Lead / Object Field and Custom Field Set (CFS) Field
To secure a lead field –
- Navigate to Settings>Leads>Lead Fields.
- Click the
Actions icon alongside the relevant system or custom lead field and select Edit. - On the Edit Lead Field page, under Lead Field Properties, check the box alongside Encrypt Field.
Similarly, to secure a Lead CFS field –
- Click the Actions icon alongside the relevant custom field set and select Edit.
- On the Edit Lead Field page, under Lead Field Properties, check the box alongside Encrypt Field.
6.2 Encrypt an Opportunity Field
To secure an opportunity field within an opportunity type –
- Navigate to Settings>Opportunities>Opportunity Types.
- Click the Actions icon alongside the relevant opportunity type and select Edit.
- On the Field Configuration Tab in the Update Opportunity Type popup, click the Actions icon alongside the relevant field.
- Check the box alongside Encrypt Field.
6.3 Encrypt an Activity Field
To secure an activity field –
- Navigate to Settings>Leads>Custom Activities & Scores.
- Click the
Edit icon alongside the relevant activity type. - On the second page of the Update Custom Activity Type popup, click the Actions icon alongside the relevant field.
- Check the box alongside Encrypt Field.
7. View Request History
To see the details about your existing field encryption request, navigate to Settings>Profile>Request History.
8. Limitations
- Global & Quick Search: The Quick Search, Global Search, and Advanced Search features may not function correctly while encryption is in progress.
- Advanced Search: Only the operators Equals, Not Equal, Contains Data, and Does Not Contain Data are supported. All other operators are not available for encrypted fields.
- Search Limitations During Encryption: The Quick Search, Global Search, and Advanced Search features may not function correctly while encryption is in progress.
- Sort/Filter: Sorting and filtering are disabled for encrypted fields.
- Reporting: In some cases, encrypted fields may display ciphertext if the report or integration does not handle decryption.
- Uniqueness: Only the system fields Email, Phone, and Mobile can be marked as unique if encrypted. Any other field marked as unique cannot be encrypted.
- Uniqueness Criteria Impact: If unique fields (such as Phone, Mobile, or Email) are marked for encryption, the uniqueness validation will not work until the encryption process is complete. This can lead to duplicate records being created. It is strongly recommended to pause record creation and updates while encryption is in progress on unique fields to avoid data inconsistencies.
- Audit: Historical audit records created before encryption was enabled will remain unencrypted. Encryption applies only to new audit entries generated after the field has been encrypted.
Any Questions?
Did you find this article helpful? Please let us know any feedback you may have in the comments section below. We’d love to hear from you and help you out!
