Onboard Database Encryption after Enabling Field-Level Encryption

If you plan to stop using FLE on certain fields after Database Encryption is in place, you should wait 24 hours before making any changes to them. After Database Encryption has been enabled for at least 24 hours, turning FLE off on a field removes the encryption from the field, so the field is temporarily unprotected. However, this change also forces the plain text data to be rewritten, which will trigger Database Encryption to encrypt it right away.

For fields that you must keep on FLE even after Database Encryption is enabled, you can perform a no-operation or cosmetic change to the entity. This will trigger an encrypted write to the transactional database for all entities of that type. (In fact you can use this technique to trigger an encrypted write to any field, whether it is using FLE or not.)

Important

Once you have enabled Database Encryption, it remains in place. There is no option to turn it off at the present time.

Also, you cannot synchronize existing data with the new active tenant secret. While key rotation is supported, Salesforce automatically synchronizes data to the latest key over time. There is no self-service sync option for Database Encryption.

To prepare for Database Encryption we recommend these steps:

• Plan to test Database Encryption in a sandbox thoroughly before enabling it in your production org.
• If you plan to stop using FLE on certain fields after Database Encryption is in place, you should wait 24 hours before making any changes to them. After Database Encryption has been enabled for at least 24 hours, turning FLE off on a field forces the plain text data to be rewritten, which will trigger Database Encryption to encrypt it right away.
• For fields that you must keep on FLE even after Database Encryption is enabled, you can perform a no-operation or cosmetic change to the entity. This will trigger an encrypted write to the transactional database for all entities of that type.