What You Can Encrypt

Note This content relates to Shield Platform Encryption. Read about implementing field-level encryption using Shield Extension in Own from Salesforce.

Note This document includes information about Database Encryption. Database Encryption hasn’t been deployed to all Hyperforce regions and instances. For product availability and purchasing information, contact your account executive.

Beyond these core capabilities, you can also extend encryption to files and attachments, fields in the Salesforce B2B Commerce managed package, custom fields in installed managed packages that support the feature, all Data 360 data stores (including its vector-based search indexes), Salesforce search indexes (for keyword searches, separate from Data 360), CRM Analytics datasets, Event Bus data, and Chatter data. These various encryption features offer layered defense mechanisms tailored to different types of sensitive data within your Salesforce environment.

• Database Encryption
  Database Encryption is available to all Hyperforce customers with a Shield or Shield Platform Encryption license. You can encrypt most of your data without impeding filtering, sorting, or impeding the many Salesforce features that rely on sorting and filtering. Because most of your data is encrypted by default with a tenant-specific key, Database Encryption helps you meet your compliance and regulatory requirements with minimal effort.
• Standard and Custom Fields
  With Field Level Encryption (FLE), you choose the specific items that you want to protect with encryption. These items are encrypted with a data encryption key (DEK), a derived key composed in part with your tenant secret.
• Search Indexes
  Salesforce products (other than Data 360) use traditional keyword indexing. These keywords are stored at rest in search index files. When you turn on Search Index encryption, sensitive data, even when tokenized for search, remains unreadable to unauthorized parties if the indexes are compromised.
• Data 360 Data Stores
  Platform Encryption for Data 360 provides Data 360 customers with greater control and visibility over the encryption keys used to protect their sensitive, confidential, or proprietary data stored within all Data 360 data stores. When Platform Encryption for Data 360 is enabled, all Data 360 data stores are encrypted at rest. Platform Encryption for Data 360 also supports Marketing Cloud Next and Tableau Next wherever they leverage Data 360.
• Files and Attachments
  Salesforce Shield Platform Encryption extends its data-at-rest protection to include Files and Attachments, ensuring that the content of documents, images, and other files uploaded to Salesforce remains encrypted. When this feature is enabled, the body of each new file or attachment is encrypted as it's uploaded to the platform, using a data encryption key based on your tenant secret.
• Event Bus Data
  Protect event messages and Change Data Capture (CDC) events at rest. The event bus may store event and CDC data in temporary files as it flows through integrations and real-time processes. Turning on Event Bus Data encryption ensures that event bus data in these temporary storage locations is fully encrypted.
• Chatter Data
  Provide an additional layer of security for the collaborative discussions and information shared within Chatter. Encrypt data at rest in Chatter feed posts and comments, questions and answers, link names and URLs, poll questions and choices, and content from your custom rich publisher apps.
• CRM Analytics Data
  Your reports and dashboards may contain confidential business insights, personally identifiable information, or other sensitive data. With Shield Platform Encryption, you can encrypt your CRM Analytics datasets at rest, maintaining compliance and enhancing your data security.