Switch Between Probabilistic and Deterministic Encryption

To gain sorting and filtering on encrypted fields, you may decide to switch the encryption scheme from probabilistic to deterministic. Before you do this, consider switching over completely to Database Encryption. Database Encryption provides full sorting and filtering of all encrypted fields. See Onboard Database Encryption after Enabling Field-Level Encryption.

If Database Encryption isn't the solution you want, and you are considering moving some fields over to deterministic encryption, make sure you read the section Filter Encrypted Data with Deterministic Encryption. In addition, keep these things in mind to prepare for the migration:

• Sync your data beforehand. If you have recently rotated your keys, or enabled EKM, BYOK, or Cache-Only Keys, you should synchronize your data before switching. You can synchronize most encrypted data yourself from the Encryption Statistics page in Setup. If you need help with synchronizing your data for any type of content not listed in the instruction, you must create a case for the sync job.
• When you change an encryption scheme, Shield Platform Encryption first decrypts the field contents, and then encrypts it with the new scheme. This process is not immediate. Until the process is complete, you cannot change the scheme again.

• To support case-insensitive queries, Salesforce stores a lowercase duplicate of your data as a custom field in the database. These duplicates are necessary for case-insensitive queries, but they count against your total custom field count. For example, if you have 200 custom fields in your org, and you choose to encrypt one with case insensitive deterministic encryption, your custom field total is 201.

  When you convert a field from deterministic (case insensitive) to anything else, the duplicate custom field is removed from the database.