Loading
Salesforce now sends email only from verified domains. Read More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Set Up Your Encryption Policy

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Set Up Your Encryption Policy

            An encryption policy is your plan for encrypting data with Shield Platform Encryption. You can choose how you want to implement it. For example, you can encrypt the entire transactional database using Database Encryption. If you want advanced key management, you can use field-level encryption to encrypt individual fields and apply different encryption schemes to those fields. Or you can choose to encrypt other data elements such as files and attachments, data in Chatter, or search indexes. Remember that encryption is not the same thing as field-level security or object-level security. Put those controls in place before you implement your encryption policy.

            Required Editions

            Available in both Salesforce Classic (not available in all orgs) and Lightning Experience.
            Available in: Enterprise, Performance, and Unlimited Editions with the Salesforce Shield or Shield Platform Encryption licenses.
            Available for free in Developer Edition.
            Note
            Note This content relates to Shield Platform Encryption. Read about implementing field-level encryption using Shield Extension in Own from Salesforce.

            To provide Shield Platform Encryption for your org, contact your Salesforce account executive. They’ll help you provision the correct license so you can create key material and start encrypting data.

            Warning
            Warning Salesforce recommends testing Shield Platform Encryption in a sandbox org to confirm that your reports, dashboards, processes, and other operations work correctly.
            • Shield Platform Encryption Best Practices
              Take the time to identify the most likely threats to your org. This process helps you distinguish data that needs encryption from data that doesn’t, so that you can encrypt only what you need to. Make sure that your tenant secret and keys are backed up, and be careful who you allow to manage your secrets and keys.
            • Which User Permissions Does Shield Platform Encryption Require?
              Assign permissions to your users according to their roles regarding encryption and key management. Some users need permission to select data for encryption, while other users require combinations of permissions to work with certificates or key material. Enable these permissions for user profiles just like you do for any other user permission.
            • Generate and Manage Root Keys and Tenant Secrets
              Salesforce has multiple secret types that are used to encrypt different categories of data. You can generate root keys, data encryption keys, and tenant secrets right from Setup.
            • Differences Between FLE and Database Encryption
              While Database Encryption supports most Salesforce features, there are some differences in what it supports and what FLE supports.
            • Set Up Database Encryption
              You can choose to implement the broadest protection of your data by encrypting the entire transactional database. With database encryption, all data in the transactional database is encrypted at the data tier level.
            • Set Up Field-Level Encryption
              Field-Level Encryption (FLE) gives you fine-grained control over what to encrypt. By encrypting only the specific object fields that contain sensitive information, you can comply with your security needs without undue performance issues. For FLE, we recommend that you encrypt as few fields as necessary. As a Shield Platform Encryption feature, FLE supports custom fields in Lightning Experience, in Salesforce Classic, and in installed managed packages.
            • Encrypt New Files and Attachments
              For another layer of data protection, encrypt files and attachments. If Shield Platform Encryption is on, the body of each file or attachment is encrypted when it’s uploaded.
            • Encrypt Data in Chatter
              Enabling Shield Platform Encryption for Chatter adds an extra layer of security to the information that users share in Chatter. You can encrypt data at rest in feed posts and comments, questions and answers, link names and URLs, poll questions and choices, and content from your custom rich publisher apps.
            • Encrypt Data 360 with Customer-Managed Root Keys
              By default, all data in Data 360 is encrypted at rest by a Salesforce-managed data encryption key (DEK). With Platform Encryption for Data 360, you can generate a Data 360 root key in Salesforce setup. Your Data 360 root keys are specific to your org and secure the DEKs that encrypt and decrypt your data. In this way, you control the chain of keys that encrypt your data. if you want to use an external Key Management Server (KMS), you can also use EKM with Data 360.
            • Encrypt Search Index Files with a Tenant Secret
              In orgs that don't yet use the updated search index framework, use a tenant secret in the search index encryption process. Sometimes you must search for personally identifiable information (PII) or for data that’s encrypted in the database. When you search your org, the results are stored in search index files in plaintext — a potential vulnerability. You can encrypt these search index files with Shield Platform Encryption, adding another layer of security to your data.
            • Encrypt Search Index Files with a Root Key
              In orgs that use the updated search index framework, you use a DEK that’s secured by a root key in the search index encryption process. Sometimes you must search for personally identifiable information (PII) or for data that’s encrypted in the database. When you search your org, the results are stored in search index files in plaintext — a potential vulnerability. You can encrypt these search index files with Shield Platform Encryption, adding another layer of security to your data.
            • Encrypt CRM Analytics Data
              To get started with CRM Analytics Encryption, generate a tenant secret with Shield Platform Encryption. After you generate a CRM Analytics tenant secret, CRM Analytics Encryption uses the Shield Platform Encryption key management architecture to encrypt your CRM Analytics data.
            • Encrypt Event Bus Data
              To enable encryption of change data capture or platform event messages at rest, generate an event bus tenant secret and then enable encryption.
            • Fix Compatibility Problems
              When you select fields or files to encrypt with Shield Platform Encryption, Salesforce automatically checks for potential side effects. The validation service then warns you if any existing settings may pose a risk to data access or your normal use of Salesforce. You have some options for how to clear up these problems.
            • Disable Encryption on Fields
              You can disable Shield Platform Encryption for fields, files, or both. You can turn field encryption on or off individually, but file encryption is all or nothing.

            See Also

             
            Loading
            Salesforce Help | Article