Encrypting Message Content on Database Level (Limitations) 
To increase data security, you have the option of encrypting the payload (and any attachments) of messages at the database level. This means that all messages configured in this way are stored encrypted in the message database. Users that query the message database, for example using SQL, cannot read the content of the payload.
Consider the following limitations if you plan to use this feature:
Parts of a message cannot be encrypted individually.
The complete payload of a message is always encrypted in the database.
Masking of individual fields (for example, Primary Account Number) is not supported.
Re-encryption of messages is not supported.
Administrators cannot re-encrypt messages that have already been stored. Re-encryption means: a message that has already been encrypted is decrypted and thereafter encrypted with a new key.
Furthermore, administrators cannot initiate automatic re-encryption of messages that have already been stored.
Recommendation
To overcome this limitation, administrators can manually redeliver affected messages or clean up the message database.
More information: Data Storage Security for the Advanced Adapter Engine, Data Storage Security for the Integration Engine
Applying message archiving can disable message encryption.
If an archiving solution is used that does not support encrypted data storage, this can lead to a situation in which configured message encryption at the database level (as described in this section) is disabled. Administrators are recommended to evaluate the archive solution used in light of this limitation.
Scenarios using Business Process Management and cross-component Business Process Management are not fully supported.
Depending on the scenario, messages or message elements may be stored unencrypted in separate databases even if the message encryption is configured according to the procedures in this section.
Encryption of logged synchronous messages is not supported in the Advanced Adapter Engine.
However, encryption of logged synchronous messages stored in the Integration Engine message store is supported.
Advanced (user-defined) message search on sensitive message elements is not supported.
If you define filters that include payload elements with sensitive data, be aware of the fact that these elements are stored unencrypted.
SAP NetWeaver Search and Classification (TREX) is not supported.
TREX stores messages unencrypted.
Message encryption at the database level is not fully supported for all SAP adapters and third-party adapters.
Adapters with their own message storage (for example, RNIF, CIDX adapter) do not support encrypted data storage if the message itself was not previously encrypted by the sender.
Only service interfaces can be marked as sensitive. Imported IDocs and RFCs cannot be marked as sensitive. Scenarios using those imported interfaces on either sender or receiver side are currently not supported.