Available in: Developer, Enterprise, Performance, Unlimited, and Database.com Editions
Encrypted custom fields are text fields that can contain letters, numbers, or symbols but are encrypted. The value of an encrypted field is only visible to users that have the “View Encrypted Data” permission.
Before you begin working with encrypted custom fields, review the following implementation notes and best practices:
Encrypted fields are encrypted with 128-bit master keys and use the AES (Advanced Encryption Standard) algorithm. You can archive, delete, and import your master encryption key. To enable master encryption key management, contact salesforce.com.
Encrypted custom fields cannot be unique, an external ID, or have default values.
While other text fields can contain up to 255 characters, encrypted text fields are limited to 175 characters due to the encryption algorithm.
Encrypted fields are not available for use in filters such as list views, reports, roll-up summary fields, and rule filters.
Encrypted fields cannot be used to define report criteria but they can be included in report results.
Encrypted fields are not searchable but they can be included in search results.
Encrypted fields are not available in the following: Salesforce Classic, Connect Offline, Connect for Lotus Notes, Connect for Outlook, Salesforce for Outlook, lead conversion, workflow rule criteria or formulas, formula fields, outbound messages, default values, and Web-to-Lead and Web-to-Case forms.
You can use encrypted fields in email templates but the value is always masked regardless of whether you have the “View Encrypted Data” permission.
If you have created encrypted custom fields, make sure your organization has secure connections using SSL (Secure Sockets Layer) enabled.
If you have the “View Encrypted Data” permission and you grant login access to another user, be aware that the other user will be able to see encrypted fields unmasked (in plain text).
Only users with the “View Encrypted Data” permission can clone the value of an encrypted field when cloning that record.
Only the <apex:outputField> component supports presenting encrypted fields in Visualforce pages.
Encrypted fields are editable regardless of whether the user has the “View Encrypted Data” permission. Use validation rules, field-level security settings, or page layout settings to prevent users from editing encrypted fields.
You can still validate the values of encrypted fields using validation rules or Apex. Both work regardless of whether the user has the “View Encrypted Data” permission. Data for encrypted fields in the debug log is masked.
Existing custom fields cannot be converted into encrypted fields nor can encrypted fields be converted into another data type. To encrypt the values of an existing (unencrypted) field, export the data, create an encrypted custom field to store that data, and import that data into the new encrypted field.
Mask Type is not an input mask that ensures the data matches the Mask Type. Use validation rules to ensure that the data entered matches the mask type selected.
Use encrypted custom fields only when government regulations require it because they involve additional processing and have search-related limitations.