Salesforce
Salesforce
Salesforce
Encryption Implementation
Guide
@salesforcedocs
Last updated: April 19, 2018
© Copyright 2000–2018 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com, inc.,
as are other names and marks. Other marks appearing herein may be trademarks of their respective owners.
CONTENTS
Field Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
STRENGTHEN YOUR DATA'S SECURITY WITH SHIELD
PLATFORM ENCRYPTION
Shield Platform Encryption gives your data a whole new layer of security while preserving critical
EDITIONS
platform functionality. It enables you to encrypt sensitive data at rest, and not just when transmitted
over a network, so your company can confidently comply with privacy policies, regulatory Available as an add-on
requirements, and contractual obligations for handling private data. subscription in: Enterprise,
Shield Platform Encryption builds on the data encryption options that Salesforce offers out of the Performance, and
box. Data stored in many standard and custom fields and in files and attachments is encrypted Unlimited Editions. Requires
using an advanced HSM-based key derivation system, so it is protected even when other lines of purchasing Salesforce
defense have been compromised. Shield. Available in
Developer Edition at no
Your data encryption key is never saved or shared across organizations. Instead, it is derived on charge for orgs created in
demand from a master secret and your organization-specific tenant secret, and cached on an Summer ’15 and later.
application server.
Available in both Salesforce
You can try out Shield Platform Encryption at no charge in Developer Edition orgs. It is available in Classic and Lightning
sandboxes after it has been provisioned for your production org. Experience.
IN THIS SECTION:
Encrypt Fields, Files, and Other Data Elements With Encryption Policy
You have a lot of flexibility in how to implement your encryption policy. Encrypt individual fields and apply different encryption
schemes to those fields. Or choose to encrypt other data elements such as files and attachments, data in Chatter, or search indexes.
Remember that encryption is not the same thing as field-level security or object-level security. Put those controls in place before
you implement your encryption strategy.
Filter Encrypted Data with Deterministic Encryption (Beta)
You can filter data that you have protected with Salesforce Shield Platform Encryption using deterministic encryption. Your users
can filter records in reports and list views, even when the underlying fields are encrypted. Deterministic encryption supports WHERE
clauses in SOQL queries and is compatible with unique and external ID fields. It also supports single-column indexes and single-column
case-sensitive unique indexes. Shield Platform Encryption uses the Advanced Encryption Standard (AES) with 256-bit keys with CBC
mode, and a static initialization vector (IV).
Manage Shield Platform Encryption
To provide Shield Platform Encryption for your organization, contact your Salesforce account executive. They’ll help you provision
the correct license so you can get started on creating your own unique tenant secret.
How Shield Platform Encryption Works
Shield Platform Encryption relies on a unique tenant secret that you control and a master secret that's maintained by Salesforce. We
combine these secrets to create your unique data encryption key. We use that key to encrypt data that your users put into Salesforce,
and to decrypt data when your authorized users need it.
Platform Encryption Best Practices
Take the time to identify the most likely threats to your organization. This helps you distinguish data that needs encryption from
data that doesn’t, so that you can encrypt only what you need to. Make sure that your tenant secret and keys are backed up, and be
careful who you allow to manage your secrets and keys.
1
Strengthen Your Data's Security with Shield Platform Encrypt Fields, Files, and Other Data Elements With Encryption
Encryption Policy
Encrypt Fields, Files, and Other Data Elements With Encryption Policy
You have a lot of flexibility in how to implement your encryption policy. Encrypt individual fields
EDITIONS
and apply different encryption schemes to those fields. Or choose to encrypt other data elements
such as files and attachments, data in Chatter, or search indexes. Remember that encryption is not Available as an add-on
the same thing as field-level security or object-level security. Put those controls in place before you subscription in: Enterprise,
implement your encryption strategy. Performance, and
Unlimited Editions. Requires
IN THIS SECTION: purchasing Salesforce
Shield. Available in
Encrypt New Data in Fields Developer Edition at no
Select the fields you want to encrypt. For best results, encrypt the smallest possible number of charge for orgs created in
fields. Summer ’15 and later.
Encrypt New Files and Attachments Available in both Salesforce
For another layer of data protection, encrypt files and attachments. If Shield Platform Encryption Classic and Lightning
is on, the body of each file or attachment is encrypted when it’s uploaded. Experience.
Get Statistics About Your Encryption Coverage
The Encryption Statistics page provides an overview of all your encrypted data. This information
helps you to stay on top of your key rotation and management tasks. You can also use encryption statistics to identify which objects
and fields you may want to update after you rotate your key material.
Synchronize Your Data Encryption with the Background Encryption Service
Periodically, you’ll change your encryption policy. Or you’ll rotate your keys. To get the most protection out of your encryption
strategy, it's important to synchronize new and existing encrypted data under your most recent encryption policy and keys.
Fix Compatibility Problems
When you select fields or files to encrypt, Salesforce automatically checks for potential side effects and warns you if any existing
settings may pose a risk to data access or your normal use of Salesforce. You have some options for how to clear up these problems.
Use Encrypted Data in Formulas
Use custom formula fields to quickly find encrypted data. You can write formulas with several operators and functions, render
encrypted data in text, date, and date/time formats, and reference quick actions.
Apply Encryption to Fields Used in Matching Rules (Beta)
Matching rules used in duplicate management help you maintain clean and accurate data. Apply deterministic encryption to the
fields to make them compatible with standard and custom matching rules.
Encrypt Data in Chatter
Enabling Shield Platform Encryption for Chatter adds an extra layer of security to information that users share in Chatter. You can
encrypt data at rest in feed posts and comments, questions and answers, link names and URLs, poll questions and choices, and
content from your custom rich publisher apps.
Encrypt Search Index Files
Sometimes you need to search for personally identifiable information (PII) or data that’s encrypted in the database. When you search
your org, the results are stored in search index files. You can encrypt these search index files, adding another layer of security to your
data.
2
Strengthen Your Data's Security with Shield Platform Encrypt New Data in Fields
Encryption
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the
difference?
SEE ALSO:
Which Standard Fields and Data Elements Can I Encrypt?
Which Custom Fields Can I Encrypt?
Field Limits with Shield Platform Encryption
Data Loader
Fix Compatibility Problems
Encrypt New Files and Attachments
3
Strengthen Your Data's Security with Shield Platform Encrypt New Files and Attachments
Encryption
Note: Before you begin, make sure that your organization has an active encryption key; if Available as an add-on
you’re not sure, check with your administrator. subscription in: Enterprise,
Performance, and
1. From Setup, in the Quick Find box, enter Platform Encryption, and then select Unlimited Editions. Requires
Encryption Policy. purchasing Salesforce
2. Select Encrypt Files and Attachments. Shield. Available in
Developer Edition at no
3. Click Save. charge for orgs created in
Important: Users with access to the file can work normally with it regardless of their Summer ’15 and later.
encryption-specific permissions. Users who are logged in to your org and have read access Available in both Salesforce
can search and view the body content. Classic and Lightning
Users can continue to upload files and attachments per the usual file size limits. Expansion of file Experience.
sizes caused by encryption doesn’t count against these limits.
Turning on file and attachment encryption affects new files and attachments. It doesn’t automatically USER PERMISSIONS
encrypt files and attachments that were already in Salesforce. To encrypt existing files, contact
To view setup:
Salesforce.
• View Setup and
To check whether a file or attachment is encrypted, look for the encryption indicator on the detail Configuration
page of the file or attachment. You can also query the isEncrypted field on the ContentVersion To encrypt files:
object (for files) or on the Attachment object (for attachments). • Customize Application
SEE ALSO:
Encrypt New Data in Fields
4
Strengthen Your Data's Security with Shield Platform Get Statistics About Your Encryption Coverage
Encryption
Available as an add-on subscription in: Enterprise, Performance, and Unlimited Editions. Requires purchasing Salesforce Shield.
Available in Developer Edition at no charge for orgs created in Summer ’15 and later.
IN THIS SECTION:
Gather Encryption Statistics
The Encryption Statistics page shows you how much of your data is encrypted by Shield Platform Encryption, and how much of that
data is encrypted by an active tenant secret. Use this information to inform your key rotation actions and timelines. You can also use
the Encryption Statistics page to collect information about the fields and objects you want to synchronize with the background
encryption service.
Interpret and Use Encryption Statistics
The Encryption Statistics page offers a snapshot of your encrypted data. You can use the information on this page to help make
informed decisions about managing your encrypted data.
USER PERMISSIONS
To view Setup
• View Setup and
Configuration
5
Strengthen Your Data's Security with Shield Platform Get Statistics About Your Encryption Coverage
Encryption
The statistics show all available information about data for each object.
Note:
• The gathering process time varies depending on how much data you have in your object. You’re notified by email when the
gathering process is finished. You can gather statistics once every 24 hours.
• Feed Item doesn't display statistics because it's derived from Feed Post. Gathering statistics for Feed Post is sufficient to confirm
the encryption status of both Feed Post and Feed Item.
Available as an add-on subscription in: Enterprise, Performance, and Unlimited Editions. Requires purchasing Salesforce Shield.
Available in Developer Edition at no charge for orgs created in Summer ’15 and later.
The page offers two views of your encrypted data: a summary view and a detail view.
Encryption Summary View
The summary shows all your objects and statistics about the data in those objects.
• Object—Lists your standard and custom objects. Data about standard objects are aggregated for all standard objects of a given
type. Data about custom objects are listed for each custom object.
• Data Encrypted—The total percentage of data in an object that’s encrypted. In the example above, 22% of all data in Account
objects in encrypted. The Case object shows 0%, meaning none of the data in any Case is encrypted.
• Uses Active Key—The percentage of your encrypted data in that object or object type that is encrypted with the active tenant
secret.
When the numbers in both Data Encrypted and Uses Active Key columns are the same, all your encrypted data uses your active
tenant secret. A double dash (--) means that statistics haven’t been gathered for that object or object type yet.
Encryption Detail View
When you select an object, you see detailed statistics about the data stored in that object.
• Field—All encryptable standard and custom fields in that object that contain data.
• API Name—The API name for fields that contain data.
6
Strengthen Your Data's Security with Shield Platform Synchronize Your Data Encryption with the Background
Encryption Encryption Service
• Encrypted Records—The number of encrypted values stored in a field type across all objects of given type. For example, you
select the Account object and see “9” in the Encrypted Records column next to Account Name. That means there are nine
encrypted records across all Account Name fields.
• Unencrypted Records—The number of plaintext values stored in a field type.
• Mixed Tenant Secret Status—Indicates whether a mixture of active and archived tenant secrets apply to encrypted data in a
field type.
• Mixed Schemes— Indicates whether a mixture of deterministic and probabilistic encryption schemes apply to encrypted data
in a field type.
7
Strengthen Your Data's Security with Shield Platform Synchronize Your Data Encryption with the Background
Encryption Encryption Service
Note: Synchronizing your data encryption does not affect the record timestamp. It doesn't execute triggers, validation rules,
workflow rules, or any other automated service.
Tip: Also check that your field values aren’t too long for encryption.
Tip: If you're not sure which data is already encrypted, visit the Encryption Statistics page, which keeps a record of all the fields
that you have encrypted.
Note: When you disable encryption for files that were encrypted with a key that’s been destroyed, the files don’t automatically
go away. You can ask Salesforce support to delete the files.
8
Strengthen Your Data's Security with Shield Platform Fix Compatibility Problems
Encryption
Note: By default, your results only list the first 250 errors per element. You can increase the number of errors listed in your
results to 5000. Contact Salesforce for help.
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
SEE ALSO:
Encrypt New Data in Fields
9
Strengthen Your Data's Security with Shield Platform Use Encrypted Data in Formulas
Encryption
This works:
(encryptedField__c & encryptedField__c)
Why it doesn’t work: LOWER isn’t a supported function, and the input is an encrypted value.
Case
CASE returns encrypted field values, but doesn’t compare them.
This works:
CASE(custom_field__c, "1", cf2__c, cf3__c))
10
Strengthen Your Data's Security with Shield Platform Use Encrypted Data in Formulas
Encryption
Why it works: custom_field__c is compared to “1”. If it is true, the formula returns cf2__c because it’s
not comparing two encrypted values.
This works:
OR(ISBLANK(encryptedField__c), ISNULL(encryptedField__c))
Why it works: Both ISBLANK and ISNULL are supported. OR works in this example because ISBLANK and
ISNULL return a Boolean value, not an encrypted value.
Spanning
This works:
(LookupObject1__r.City & LookupObject1__r.Street) &
(LookupObject2__r.City & LookupObject2__r.Street) &
(LookupObject3__r.City & LookupObject3__r.Street) &
(LookupObject4__r.City & LookupObject4__r.Street)
How and why you use it: Spanning retrieves encrypted data from multiple entities. For example, let’s say you work in the
customer service department for Universal Containers. A customer has filed a case about a distribution
problem, and you want to see the scope of the issue. You want all the shipping addresses related
to this particular case. This example returns all the customers’ shipping addresses as a single string
in your case layout.
Validation
The encryption validation service checks your org to make sure that it’s compatible with encrypted formula field types.
When you encrypt a given field, the validation service:
• Retrieves all formula fields that reference the field
• Verifies that the formula fields are compatible with encryption
• Verifies that the formula fields aren’t used elsewhere for filtering or sorting
Limits
Up to 200 formula fields can reference a given encrypted custom field. A field that is referenced by more than 200 formula fields can’t
be encrypted. If you need to reference an encrypted custom field from more than 200 formula fields, contact Salesforce.
11
Strengthen Your Data's Security with Shield Platform Apply Encryption to Fields Used in Matching Rules (Beta)
Encryption
When you specify multiple fields to encrypt at one time, the 200-field limit is applied to the whole batch. If you know that you are
encrypting fields that have multiple formula fields pointing to them, encrypt those fields one at a time.
Important: Matching rules used in duplicate management don’t support probabilistically USER PERMISSIONS
encrypted data.
To view setup:
1. From Setup, in the Quick Find box, enter Matching Rules, and then select Matching • View Setup and
Rules. Configuration
2. Deactivate the matching rule that reference fields you want to encrypt. If your matching rule To enable encryption key
is associated with an active duplicate rule, first deactivate the duplicate rule from the Duplicate (tenant secret) management:
Rules page. Then return to the Matching Rules page and deactivate the matching rule. • Manage Profiles and
Permission Sets
3. From Setup, in the Quick Find box, enter Platform Encryption, and then select
Encryption Policy.
4. Click Encrypt Fields.
5. Click Edit.
6. Select the fields you want to encrypt, and select Deterministic from the Encryption Scheme list.
7. Click Save.
8. Reactivate your matching rule and associated duplicate management rule.
Example:
Tip: Follow this process to add encrypted fields to existing custom matching rules.
12
Strengthen Your Data's Security with Shield Platform Encrypt Data in Chatter
Encryption
Let’s say you recently encrypted Billing Address on your Contacts, and you want to add this field to a custom matching rule. First,
deactivate the rule or rules you want to add this field to. Make sure that Billing Address is encrypted with the deterministic encryption
scheme. Then add Billing Address to your custom matching rule, just like you would add any other field. Finally, reactivate your
rule.
You must update matching rules that reference encrypted fields when you rotate your key material. After you rotate your key material,
deactivate and then reactivate the affected matching rules. Then contact Salesforce to request the background encryption process.
When the background encryption process finishes, your matching rules can access all data encrypted with your active key material.
13
Strengthen Your Data's Security with Shield Platform Encrypt Search Index Files
Encryption
Note: This release contains a beta version of deterministic encryption with case-sensitive
filtering, which means it’s a high-quality feature with known limitations. Deterministic
encryption with case-sensitive filtering isn’t generally available unless or until Salesforce
announces its general availability in documentation or in press releases or public statements.
We can’t guarantee general availability within any particular time frame or at all. Make your
purchase decisions based only on generally available products and features.
IN THIS SECTION:
How Deterministic Encryption Supports Filtering
By default, Salesforce encrypts data using a probabilistic encryption scheme. Each bit of data is turned into a fully random ciphertext
string every time it’s encrypted. Encryption doesn’t generally impact users who are authorized to view the data. The exceptions are
when logic is executed in the database or when encrypted values are compared to a string or to each other. In these cases, because
the data has been turned into random, patternless strings, filtering isn’t possible. For example, you might run a SOQL query in custom
Apex code against the Contact object, where LastName = 'Smith'. If the LastName field is encrypted with probabilistic encryption,
you can’t run the query. Deterministic encryption addresses this problem.
Encrypt Data Using the Deterministic Encryption Scheme
You apply deterministic encryption to a field by choosing this encryption scheme.
14
Strengthen Your Data's Security with Shield Platform How Deterministic Encryption Supports Filtering
Encryption
Note: To generate a tenant secret, you must have the Manage Encryption Keys permission.
15
Strengthen Your Data's Security with Shield Platform Encrypt Data Using the Deterministic Encryption Scheme
Encryption
9. Enable encryption for each field, specifying the deterministic encryption scheme. How you do that depends on whether it’s a standard
field or a custom field.
• For standard fields, from Setup, select Encryption Policy, and then select Encrypt Fields. For each field you want to encrypt,
select the field name, and then choose Deterministic from the Encryption Scheme list.
• For custom fields, open the Object Manager and edit the field you want to encrypt. Select Encrypt the contents of this field,
and select Use case sensitive deterministic encryption.
16
Strengthen Your Data's Security with Shield Platform Manage Shield Platform Encryption
Encryption
10. Contact Salesforce Support to encrypt your existing data, or to re-encrypt data you previously encrypted with probabilistic encryption.
USER PERMISSIONS
17
Strengthen Your Data's Security with Shield Platform Generate a Tenant Secret
Encryption
IN THIS SECTION:
Generate a Tenant Secret
You can have Salesforce generate a unique tenant secret for your organization, or you can generate your own tenant secret using
your own external resources. In either case, you manage your own tenant secret: you can rotate it, archive it, and designate other
users to share responsibility for it.
Rotate Your Encryption Tenant Secrets
You control the life cycle of your data encryption keys by controlling the life cycle of your tenant secrets. It’s recommended to
regularly generate a new tenant secret and archive the previously active one.
Back Up Your Tenant Secret
Your tenant secret is unique to your organization and to the specific data to which it applies. Salesforce recommends that you export
your secret to ensure continued data access in cases where you need to gain access to the related data again.
Destroy A Tenant Secret
Only destroy tenant secrets in extreme cases where access to related data is no longer needed. Your tenant secret is unique to your
organization and to the specific data to which it applies. Once you destroy a tenant secret, related data is not accessible unless you
previously exported the key and then import the key back into Salesforce.
Disable Encryption on Fields
At some point, you may need to disable Shield Platform Encryption for fields, files, or both. You can turn field encryption on or off
individually, but file encryption is all or nothing.
SEE ALSO:
Which User Permissions Does Shield Platform Encryption Require?
The TenantSecret Object
18
Strengthen Your Data's Security with Shield Platform Generate a Tenant Secret
Encryption
SEE ALSO:
Permission Sets
Profiles
19
Strengthen Your Data's Security with Shield Platform Generate a Tenant Secret
Encryption
20
Strengthen Your Data's Security with Shield Platform Generate a Tenant Secret
Encryption
USER PERMISSIONS
5. When the Certificate and Key Detail page appears, click Download Certificate.
If you’re not sure whether a self-signed or CA-signed certificate is right for you, consult your organization’s security policy. See
Certificates and Keys in Salesforce Help for more about what each option implies.
To create a CA-signed certificate, follow the instructions in the Generate a Certificate Signed By a Certificate Authority topic in
Salesforce Help. Remember to manually change the Exportable Private Key, Key Size, and Platform Encryption settings to
ensure that your certificate is BYOK-compatible.
21
Strengthen Your Data's Security with Shield Platform Generate a Tenant Secret
Encryption
USER PERMISSIONS
To manage tenant
secrettenant secrets:
This tenant secret automatically becomes the active tenant secret. • Manage Encryption Keys
Note: The tenant secret whose certificate has the latest expiration date automatically AND
becomes the active tenant secret. Manage Certificates
22
Strengthen Your Data's Security with Shield Platform Generate a Tenant Secret
Encryption
Your tenant secret is now ready to be used for key derivation. From here on, the Shield Key Management Service (KMS) uses your
tenant secret to derive an org-specific data encryption key. The app server then uses this key to encrypt and decrypt your users’ data.
4. Export your tenant secret and back it up as prescribed in your organization’s security policy.
To restore your tenant secret, reimport it. The exported tenant secret is different from the tenant secret you uploaded. It is encrypted
with a different key and has additional metadata embedded in it. See Back Up Your Tenant Secret in Salesforce Help.
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
6. In the Upload Tenant Secret section, attach both your encrypted data encryption key and your hashed plaintext data encryption
key.
23
Strengthen Your Data's Security with Shield Platform Rotate Your Encryption Tenant Secrets
Encryption
7. Click Upload.
This data encryption key automatically becomes the active key.
From here on, the Shield Key Management Service (KMS) skips the derivation process and uses your data encryption key to directly
encrypt and decrypt your data. You can review the derivation status of all key material on the Key Management page.
8. Export your data encryption key and back it up as prescribed in your organization’s security policy.
To restore your data encryption key, reimport it. The exported data encryption key is different from the data encryption key you
uploaded. It is encrypted with a different key and has additional metadata embedded in it. See Back Up Your Tenant Secret in
Salesforce Help.
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
24
Strengthen Your Data's Security with Shield Platform Back Up Your Tenant Secret
Encryption
4. Click Generate New Tenant Secret or Upload Tenant Secret. If uploading a customer-supplied tenant secret, upload your
encrypted tenant secret and tenant secret hash.
5. If you want to re-encrypt field values with a newly generated tenant secret, contact Salesforce support.
To update your data, export the objects via the API or run a report that includes the record ID. These actions trigger the encryption
service to encrypt the existing data again using the newest key.
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
5. To import your tenant secret again, click Import > Choose File and select your file. Make sure USER PERMISSIONS
you’re importing the correct version of the tenant secret.
To manage tenant secrets:
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the • Manage Encryption Keys
difference?
25
Strengthen Your Data's Security with Shield Platform Destroy A Tenant Secret
Encryption
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the To manage tenant secrets:
difference? • Manage Encryption Keys
26
Strengthen Your Data's Security with Shield Platform How Shield Platform Encryption Works
Encryption
27
Strengthen Your Data's Security with Shield Platform Can I Bring My Own Encryption Key?
Encryption
IN THIS SECTION:
Why Bring Your Own Key?
Bring Your Own Key (BYOK) gives you an extra layer of protection in the event of unauthorized access to critical data. It may also
help you meet the regulatory requirements that come with handling financial data, such as credit card numbers; health data, such
as patient care records or insurance information; or other kinds of private data, such as social security numbers, addresses, and phone
numbers. Once you’ve set up your key material, you can use Shield Platform Encryption as you normally would to encrypt data at
rest in your Salesforce org.
Take Good Care of Your Keys
When you create and store your own key material outside of Salesforce, it’s important that you safeguard that key material. Make
sure that you have a trustworthy place to archive your key material; never save a tenant secret or data encryption key on a hard drive
without a backup.
28
Strengthen Your Data's Security with Shield Platform Can I Bring My Own Encryption Key?
Encryption
Note: The Key Derivation Opt-Out (Beta) feature lets you bypass the Shield KMS’s key derivation process. Use the infrastructure
of your choice to create a data encryption key instead of a tenant secret. Then upload this data encryption key to Salesforce.
We use this key material as your final data encryption key for data encryption and decryption. You can rotate customer-supplied
data encryption keys just like you would rotate a customer-supplied tenant secret. Contact Salesforce to enable this feature.
29
Strengthen Your Data's Security with Shield Platform Can I Bring My Own Encryption Key?
Encryption
30
Strengthen Your Data's Security with Shield Platform Can I Bring My Own Encryption Key?
Encryption
Your certificate is not active, or is Ensure that your certificate settings are compatible with the Bring Your Own Key feature. Under
not a valid Bring Your Own Key the Certificate and Key Edit section of the Certificates page, select a 4096-bit certificate size,
certificate. disable Exportable Private Key, and enable Platform Encryption.
You haven’t attached both the Make sure that you attach both the encrypted tenant secret and hashed tenant secret. Both of
encrypted tenant secret and the these files should have a .b64 suffix.
hashed tenant secret.
31
Strengthen Your Data's Security with Shield Platform Which Standard Fields and Data Elements Can I Encrypt?
Encryption
I’m still having problems with my key. Who should I talk to?
If you still have questions, contact your account executive. They’ll put you in touch with a support team specific to this feature.
• Phone
• Fax
• Website
• Description
• Account Site
Note: If your org has enabled Person Accounts, certain account and contact fields are combined into one record. In that case,
you can enable encryption for a different set of Account fields.
Accounts (if Person Accounts enabled for your org)
• Account Name
• Billing Address (encrypts Billing Street and Billing City)
• Shipping Address (encrypts Shipping Street and Shipping City)
• Phone
• Fax
• Website
32
Strengthen Your Data's Security with Shield Platform Which Standard Fields and Data Elements Can I Encrypt?
Encryption
• Description
• Account Site
• Mailing Address (encrypts Mailing Street and Mailing City)
• Other Address (encrypts Other Street and Other City)
• Mobile
• Home Phone
• Other Phone
• Assistant Phone
• Email
• Title
• Assistant
Contacts
• Name (encrypts First Name, Middle Name, and Last Name)
• Mailing Address (encrypts Mailing Street and Mailing City)
• Other Address (encrypts Other Street and Other City)
• Phone
• Fax
• Mobile
• Home Phone
• Other Phone
• Asstistant Phone
• Email
• Title
• Assistant
• Description
Leads
• Name (Encrypts First Name, Middle Name, and Last Name)
• Title
• Company
• Address (Encrypts Street and City)
• Phone
• Mobile
• Fax
• Email
• Website
• Description
Opportunities
• Opportunity Name
• Description
33
Strengthen Your Data's Security with Shield Platform Which Custom Fields Can I Encrypt?
Encryption
• Next Step
Cases
• Subject
• Description
Case Comments
• Body (including internal comments)
Contract
• Billing Address (encrypts Billing Street and Billing City)
Note: The Individual object is available only if you enable the org setting to make data protection details available in records.
Chatter feed
• Feed Comment—Body
• Feed Item—Body
• Feed Item—Title
• Feed Revision—Value
These fields include feed posts, questions and answers, link names, comments, and poll questions. They don’t encrypt poll choices.
The revision history of encrypted Chatter fields is also encrypted. If you edit or update an encrypted Chatter field, the old information
remains encrypted.
Note: Enabling Encryption for Chatter encrypts all eligible Chatter fields. You can’t choose to encrypt only certain Chatter
fields.
Search Indexes
When you encrypt search indexes, each file created to store search results is encrypted.
SEE ALSO:
Encrypt New Data in Fields
34
Strengthen Your Data's Security with Shield Platform Which Files Are Encrypted?
Encryption
• Date
• Date/Time
After a custom field is encrypted, you can’t change the field type. For custom phone and email fields, you also can’t change the field
format.
Important: When you encrypt the Name field, enhanced lookups are automatically enabled. Enhanced lookups improve the
user’s experience by searching only through records that have been looked up recently, and not all existing records. Switching to
enhanced lookups is a one-way change. You can’t go back to standard lookups, even if you disable encryption.
You can’t use Schema Builder to create an encrypted custom field.
To encrypt custom fields that have the Unique or External ID attribute, you can only use deterministic encryption.
Some custom fields can’t be encrypted:
• Fields on external data objects
• Fields that are used in an account contact relation
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
SEE ALSO:
Encrypt New Data in Fields
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
35
Strengthen Your Data's Security with Shield Platform Which User Permissions Does Shield Platform Encryption
Encryption Require?
The Customize Application and Manage Certificates permissions are automatically enabled for users with the System Administrator
profile.
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
SEE ALSO:
Manage Shield Platform Encryption
36
Strengthen Your Data's Security with Shield Platform Why Isn’t My Encrypted Data Masked?
Encryption
!!!!! This service is unavailable right now. For help accessing this
service, contact Salesforce.
Custom Date 08/08/1888 This field is encrypted, and the encryption key has been
destroyed.
01/01/1777 This service is unavailable right now. For help accessing this
service, contact Salesforce.
Custom Date/Time 08/08/1888 12:00 PM This field is encrypted, and the encryption key has been
destroyed.
01/01/1777 12:00 PM This service is unavailable right now. For help accessing this
service, contact Salesforce.
37
Strengthen Your Data's Security with Shield Platform Behind the Scenes: The Shield Platform Encryption Process
Encryption
You can’t enter these masking characters into an encrypted field. For example, if a Date field is encrypted and you enter 07/07/1777,
you must enter a different value before it can be saved.
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
1. When a Salesforce user saves encrypted data, the runtime engine determines from metadata whether to encrypt the field, file, or
attachment before storing it in the database.
2. If so, the encryption service checks for the matching data encryption key in cached memory.
3. The encryption service determines whether the key exists.
a. If so, the encryption service retrieves the key.
38
Strengthen Your Data's Security with Shield Platform Behind the Scenes: The Search Index Encryption Process
Encryption
b. If not, the service sends a derivation request to a key derivation server and returns it to the encryption service running on the
Salesforce Platform.
4. After retrieving or deriving the key, the encryption service generates a random initialization vector (IV) and encrypts the data using
256-bit AES encryption.
5. The ciphertext is saved in the database or file storage. The IV and corresponding ID of the tenant secret used to derive the data
encryption key are saved in the database.
Salesforce generates a new master secret at the start of each release.
4. After retrieving the key, the encryption service generates a random initialization vector (IV) and encrypts the data using NSS or JCE’s
AES-256 implementation.
5. The key ID (identifier of the key being used to encrypt the index segment) and IV are saved in the search index.
The process is similar when a user searches for encrypted data:
1. When a user searches for a term, the term is passed to the search index, along with which Salesforce objects to search.
2. When the search index executes the search, the encryption service opens the relevant segment of the search index in memory and
reads the key ID and IV.
3. Steps 3 through 5 of the process when a user creates or edits records are repeated.
4. The search index processes the search and returns the results to the user seamlessly.
39
Strengthen Your Data's Security with Shield Platform How Do I Deploy Shield Platform Encryption?
Encryption
If Salesforce admins disable encryption on a field, all index segments that were encrypted are unencrypted and the key ID is set to null.
This process can take up to seven days.
Shield Platform Encryption Shield Platform Encryption not The Encrypted field attribute is Available in both Salesforce
enabled enabled ignored Classic and Lightning
Experience.
Shield Platform Encryption not Shield Platform Encryption The target Encrypted field
enabled enabled attribute indicates enablement
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
40
Strengthen Your Data's Security with Shield Platform Shield Platform Encryption Terminology
Encryption
41
Strengthen Your Data's Security with Shield Platform What’s the Difference Between Classic Encryption and Shield
Encryption Platform Encryption?
PCI-DSS L1 Compliance
Masking
42
Strengthen Your Data's Security with Shield Platform Platform Encryption Best Practices
Encryption
API Access
3. Create a strategy early for backing up and archiving keys and data.
If your tenant secrets are destroyed, reimport them to access your data. You are solely responsible for making sure that your data
and tenant secrets are backed up and stored in a safe place. Salesforce cannot help you with deleted, destroyed, or misplaced tenant
secrets.
4. Read the Shield Platform Encryption considerations and understand their implications on your organization.
• Evaluate the impact of the considerations on your business solution and implementation.
• Test Shield Platform Encryption in a sandbox environment before deploying to a production environment.
• Before enabling encryption, fix any violations that you uncover. For example, referencing encrypted fields in a SOQL WHERE
clause triggers a violation. Similarly, if you reference encrypted fields in a SOQL ORDER BY clause, a violation occurs. In both cases,
fix the violation by removing references to the encrypted fields.
43
Strengthen Your Data's Security with Shield Platform Platform Encryption Best Practices
Encryption
• If an app interacts with encrypted data that's stored outside of Salesforce, investigate how and where data processing occurs
and how information is protected.
• If you suspect Shield Platform Encryption could affect the functionality of an app, ask the provider for help with evaluation. Also
discuss any custom solutions that must be compatible with Shield Platform Encryption.
• Apps on the AppExchange that are built exclusively using Lightning Platform inherit Shield Platform Encryption capabilities and
limitations.
6. Platform Encryption is not a user authentication or authorization tool. To control which users can see which data, use field-level
security settings, page layout settings, and validation rules, not Platform Encryption.
7. Grant the “Manage Encryption Keys” user permission to authorized users only.
Users with the “Manage Encryption Keys” permission can generate, export, import, and destroy organization-specific keys. Monitor
the key management activities of these users regularly with the setup audit trail.
SEE ALSO:
Tradeoffs and Limitations of Shield Platform Encryption
44
Strengthen Your Data's Security with Shield Platform Tradeoffs and Limitations of Shield Platform Encryption
Encryption
SEE ALSO:
Platform Encryption Best Practices
You can reference encrypted fields in most places in your flows and processes. However, you can’t Available in both Salesforce
reference encrypted fields in these filtering or sorting contexts. Classic and Lightning
Experience.
Tool Filtering Availability Sorting Availability
Process Builder Update Records action n/a
45
Strengthen Your Data's Security with Shield Platform General Shield Platform Encryption Considerations
Encryption
You can store the value from an encrypted field in a variable and operate on that value in your flow’s logic. You can also update the
value for an encrypted field.
Paused flow interviews can result in data being saved in an unencrypted state. When a flow or process is waiting to resume, the associated
flow interview is serialized and saved to the database. The flow interview is serialized and saved when:
• Users pause a flow
• Flows execute a Wait element
• Processes are waiting to execute scheduled actions
If the flow or process loads encrypted fields into a variable during these processes, that data might not be encrypted at rest.
Custom Fields
You can’t use encrypted custom fields in criteria-based sharing rules.
Some custom fields can’t be encrypted.
• Fields that have the Unique or External ID attributes or include these attributes on previously encrypted custom fields
(applies only to fields that use the probabilistic encryption scheme)
• Fields on external data objects
• Fields that are used in an account contact relation
You can’t use Schema Builder to create an encrypted custom field.
SOQL/SOSL
• Encrypted fields that use the probabilistic encryption scheme can’t be used with the following SOQL and SOSL clauses and functions:
– Aggregate functions such as MAX(), MIN(), and COUNT_DISTINCT()
– WHERE clause
– GROUP BY clause
– ORDER BY clause
For information about SOQL and SOSL compatibility with deterministic encryption, see Considerations for Using Deterministic
Encryption in Salesforce Help.
Tip: Consider whether you can replace a WHERE clause in a SOQL query with a FIND query in SOSL.
• When you query encrypted data, invalid strings return an INVALID_FIELD error instead of the expected MALFORMED_QUERY.
46
Strengthen Your Data's Security with Shield Platform General Shield Platform Encryption Considerations
Encryption
Portals
If a portal is enabled in your organization, you can’t encrypt standard fields. Deactivate all customer portals and partner portals to enable
encryption on standard fields. (Communities are supported.)
To deactivate a customer portal, go to the Customer Portal Settings page in Setup. To deactivate a partner portal, go to the Partners
page in Setup.
Search
If you encrypt fields with a key and then destroy the key, the corresponding search terms remain in the search index. However, you can’t
decrypt the data associated with the destroyed key.
Email to Salesforce
When the standard Email field is encrypted, the detail page for Contacts, Leads, or Person Accounts doesn’t flag invalid email addresses.
If you need bounce processing to work as expected, don't encrypt the standard Email field.
47
Strengthen Your Data's Security with Shield Platform General Shield Platform Encryption Considerations
Encryption
Campaigns
Campaign member search isn’t supported when you search by encrypted fields.
Notes
You can encrypt the body text of Notes created with the new Notes tool. However, the Preview file and Notes created with the old Notes
tool aren’t supported.
Communities
If you encrypt the Account Name field and you’re not using Person Accounts, encryption affects how users’ roles are displayed to admins.
Normally, a community user’s role name is displayed as a combination of their account name and the name of their user profile. When
you encrypt the Account Name field, the account ID is displayed instead of the account name.
For example, when the Account Name field is not encrypted, users belonging to the Acme account with the Customer User profile would
have a role called Acme Customer User. When Account Name is encrypted (and Person Accounts aren’t in use), the role is displayed
as something like 001D000000IRt53 Customer User.
Data Import
You can’t use the Data Import Wizard to perform matching using master-detail relationships or update records that contain fields that
use the probabilistic encryption scheme. You can use it to add new records, however.
48
Strengthen Your Data's Security with Shield Platform Which Salesforce Apps Don’t Support Shield Platform
Encryption Encryption?
Standard matching rules that include fields with Shield Platform Encryption don’t detect duplicates. If you encrypt a field included in
standard matching rules, deactivate the standard rule.
General
• Encrypted fields can’t be used in:
– Criteria-based sharing rules
– Similar opportunities searches
– External lookup relationships
– Filter criteria for data management tools
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
49
Strengthen Your Data's Security with Shield Platform Considerations for Using Deterministic Encryption (Beta)
Encryption
Filter Operators
In reports and list views, the operators “equals” and “not equal to” are supported with deterministic encryption. Other operators, like
“contains” or “starts with,” don’t return an exact match and aren’t supported.
Case Sensitivity
When you use deterministic encryption, case matters. In reports, list views, and SOQL queries on encrypted fields, the results are
case-sensitive. Therefore, a SOQL query against the Contact object, where LastName = 'Jones’, returns only Jones, not jones nor JONES.
Similarly, when the filter-preserving scheme tests for unicity (uniqueness), each version of “Jones” is unique.
External ID
You can enable the external ID for deterministically encrypted fields when you use the Unique - Case-Sensitive attribute.
Compound Names
Even with deterministic encryption, some kinds of searches don’t work when data is encrypted. Concatenated values, such as compound
names, aren’t the same as the separate values. For example, the ciphertext for the compound name “William Jones” is not the same as
the concatenation of the ciphertexts for “William” and “Jones”.
So, if the First Name and Last Name fields are encrypted in the Contacts object, this query doesn’t work:
Select Id from Contact Where Name = 'William Jones'
50
Strengthen Your Data's Security with Shield Platform Shield Platform Encryption and the Lightning Experience
Encryption
Indexes
Deterministic encryption supports single-column indexes and single-column case-sensitive unique indexes. However, custom indexes
on standard fields and two-column indexes aren’t supported.
51
Strengthen Your Data's Security with Shield Platform Field Limits with Shield Platform Encryption
Encryption
Note: This list isn’t exhaustive. For information about a field not shown here, refer to the API.
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
SEE ALSO:
Encrypt New Data in Fields
52