Loading
Feature Disruption - Service Cloud VoiceRead More
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Behind the Scenes: The Search Index Encryption Process

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Behind the Scenes: The Search Index Encryption Process

            Salesforce's search engine, powered by Apache Solr and Apache Lucene, organizes record data in a scalable, partitioned search index. Search Encryption secures org-specific search index files (.fdt, .tim, and .tip file types) using a unique AES-256 bit key. This encryption happens at the segment level, ensuring all index operations in memory are encrypted. Access to the encrypted search index and key cache is strictly via programmatic APIs.

            Required Editions

            Available in both Salesforce Classic (not available in all orgs) and Lightning Experience.
            Available in: Enterprise, Performance, and Unlimited Editions with the Salesforce Shield or Shield Platform Encryption licenses.
            Available for free in Developer Edition.

            Admins enable "Encrypt Search Indexes" to activate this feature, prompting Shield Platform Encryption to create and store a Data Encryption Key (DEK). Once the DEK is active, search index encryption begins. When records are created or edited, the encryption service uses the DEK (retrieved from cache or the Shield KMS via TLS-encrypted channels) to encrypt data with AES-256 and a random initialization vector (IV). The key ID and IV are then saved in the search index. For searches, the relevant index segment is opened, the key ID and IV read, and data decrypted before processing.

            For orgs utilizing the updated search index framework, this process is streamlined: all indexes for all fields are automatically encrypted without needing a specific encryption policy. Admins can manage this by turning encryption on or off, generating new root keys, or generating new DEKs.

            In orgs not yet on the updated framework, a security administrator must enable Search Index Encryption from Setup. This involves creating a tenant secret of the "Search Index" type, then enabling "Encryption for Search Indexes," and finally configuring an encryption policy by selecting specific fields and files to encrypt. In this setup, an org-specific HSM-derived key is generated on demand from the tenant secret and securely passed to the search engine’s cache.

            Note
            Note If Salesforce admins disable encryption on a field, all index segments that were encrypted are unencrypted and the key ID is set to null. This process can take up to seven days.
             
            Loading
            Salesforce Help | Article