Onboard Field-Level Encryption
FLE enables you to apply fine-grained encryption to standard and custom fields. You can use FLE with or without Database Encryption enabled.
Required Editions
| Available in both Salesforce Classic (not available in all orgs) and Lightning Experience. |
| Available in: Enterprise, Performance, and Unlimited Editions with the Salesforce Shield or Shield Platform Encryption licenses. |
| Available for free in Developer Edition. |
Prepare to use FLE
To prepare for Field-Level Encryption we recommend these steps:
- Perform a thorough security review to assess your current encryption status and plan your strategy.
- Read about FLE and how to set it up.
- Review the Differences Between FLE and Database Encryption.
- Compare the Differences Between Probabilistic and Deterministic Encryption.
- Read about Background Sync. When you enable encryption on a field, new data is encrypted as it is created, but existing data must be synchronized for encryption.
- Plan to test your encryption field choices in a sandbox thoroughly before migrating it your production org.
First Use of FLE
If Database Encryption is not enabled you can simply identify the fields you want to encrypt. You can configure multiple standard fields for probabilistic or deterministic encryption at one time. Custom fields you must configure one at a time. After you have configured all the fields you plan to encrypt, run a background encryption sync to encrypt data already in those fields.
Add FLE after Enabling Database Encryption
Database Encryption encrypts the entire transactional database. This includes all fields, and any small files that are contained within the database. If Database Encryption is enabled, you can still encrypt standard and custom fields separately using FLE.
- If FLE is enabled on a standard or custom field, FLE encryption happens before Database Encryption. This affects the filtering and sorting for that field, as described in Encryption Tradeoffs.
- For fields that you must keep on FLE even after Database Encryption is enabled, you can perform a no-operation or cosmetic change to the entity. This will trigger an encrypted write to the transactional database for all entities of that type. (In fact you can use this technique to trigger an encrypted write to any field, whether it is using FLE or not.)
Removing Encryption from a Field
You can turn encryption off at any time. The field content is gradually decrypted across the org.
Changing the Encryption Scheme
You can change the encryption scheme for a field in these ways
- probabilistic to deterministic (case sensitive)
- probabilistic to deterministic (case insensitive)
- deterministic (case sensitive) to probabilistic
- deterministic (case insensitive) to probabilistic
- deterministic (case sensitive) to deterministic (case insensitive)
- deterministic (case insensitive) to deterministic (case sensitive)
Check out Switch Between Probabilistic and Deterministic Encryption for full details on changing the encryption scheme.
- Switch Between Probabilistic and Deterministic Encryption
If you are already encrypting fields using the probabilistic encryption scheme, and have decided to switch one or more of them over to deterministic encryption you should consider your options and plan carefully. - Considerations for Using Deterministic Encryption
These considerations apply to data encrypted with Shield Platform Encryption’s deterministic encryption scheme. Some considerations manifest differently depending on whether data is encrypted with the case-sensitive or case-insensitive deterministic encryption scheme.
