Strengthen Your Data’s Security with Shield Platform Encryption

Important Where possible, we changed noninclusive terms to align with our company value of Equality. We maintained certain terms to avoid any effect on customer implementations.

Note This content relates to Shield Platform Encryption. Read about implementing field-level encryption using Shield Extension in Own from Salesforce.

Shield Platform Encryption builds on the classic encryption options that Salesforce offers all license holders. Data is encrypted so it’s protected even when other lines of defense are compromised. You can encrypt the entire transactional database. Additionally, you can also opt to encrypt discrete items, such as many standard and custom fields, files, search indexes, and attachments.

Your key material is never saved or shared across orgs. You can choose to have Salesforce generate key material for you, or you can upload your own. By default, Shield Platform Encryption uses a key derivation function (KDF) to derive data encryption keys on demand from a primary secret and your org-specific key material. It then stores that derived data encryption key (DEK) in an encrypted key cache. DEKs are never stored on disk, and your org-specific key material is always wrapped.

You can opt out of key derivation on a key-by-key basis. Or you can store your DEK outside of Salesforce and have either the External Key Management service or the Cache-Only Key Service fetch it on demand from a key service that you control. The DEKs that you provide are always wrapped. No matter how you choose to manage your keys, Shield Platform Encryption secures your key material at every stage of the encryption process.

You can try out Shield Platform Encryption at no charge in Developer Edition orgs. It’s available in sandboxes after it’s provisioned for your production org.

Tip Whether you’re using Shield Platform Encryption or Classic Encryption, you can track the encryption policy status across your entire org. It’s a simple process with the Security Center app, which can capture many useful security metrics. See Take Charge of Your Security Goals with Security Center.

• What You Can Encrypt
  Shield Platform Encryption provides robust options to protect your sensitive data at rest across Salesforce, helping you meet various compliance and regulatory requirements. You can opt for Database Encryption to encrypt most data within your transactional database. For more targeted protection and granular key management control, Field-Level Encryption (FLE) allows you to encrypt specific standard and custom fields individually.
• Onboard to Shield Platform Encryption
  There are several situations that can affect onboarding to the different Shield Platform Encryption features. These depend on the encryption policies you have adopted, and whether you already are using one or more Shield Platform Encryption features.
• Platform Encryption Q&A
  Here are some frequently asked questions about platform encryption.
• How Shield Platform Encryption Works
  Shield Platform Encryption helps you encrypt your data with keys that you manage. It uses two methods to protect your data: key derivaton and direct encryption. For FLE and Database Encryption, it uses a derived key composed of a unique tenant secret that you control and a primary secret that Salesforce maintains. For EKM, Search Indexes, and BYOK for Data 360, it uses a root key that wraps the data encryption keys (DEKs) that directly encrypts your data. You control the root key.
• Set Up Your Encryption Policy
  An encryption policy is your plan for encrypting data with Shield Platform Encryption. You can choose how you want to implement it. For example, you can encrypt the entire transactional database using Database Encryption. If you want advanced key management, you can use field-level encryption to encrypt individual fields and apply different encryption schemes to those fields. Or you can choose to encrypt other data elements such as files and attachments, data in Chatter, or search indexes. Remember that encryption is not the same thing as field-level security or object-level security. Put those controls in place before you implement your encryption policy.
• Filter Encrypted Data with Deterministic Encryption
  You can filter data that’s protected with Shield Platform Encryption using deterministic encryption. Your users can filter records in reports and list views, even when the underlying fields are encrypted. You can apply case-sensitive deterministic encryption or exact-match case-insensitive deterministic encryption to data on a field-by-field basis.
• Key Management and Rotation
  With Shield Platform Encryption, you control and rotate the key material used to encrypt your data. You can use Salesforce to generate a tenant secret for you, which is then combined with a primary secret for each release to derive a data encryption key. This derived data encryption key is then used in encryption and decryption functions. You can also use the Bring Your Own Key (BYOK) service to upload your own key material. Or you can store your key material outside of Salesforce. Use the External Key Management Service or the Cache-Only Key Service to fetch your key material on demand.
• Shield Platform Encryption Customizations
  Some features and settings require adjustment before they work with encrypted data.
• Tradeoffs and Limitations of Shield Platform Encryption
  A security solution as powerful as Shield Platform Encryption doesn’t come without some tradeoffs. When your data is encrypted, it’s possible that some of your users experience limited functionality, and sometimes certain features aren’t available to them at all. As you design your encryption strategy, consider the impact on your users and your overall business solution.