Application Tier Encryption and Database Encryption Work Together

Even if you’re using Database Encryption, you can still use application tier encryption like FLE on as required for security and compliance.

Features like FLE happen at the application tier, and Database Encryption happens at the data tier. As a result, when a user saves data, the data configured for encryption at the application tier are encrypted first. When control passes to the database layer, the database fragment that contains the encrypted data is encrypted by Database Encryption. So, when Database Encryption is enabled, application tier data configured for encryption is encrypted twice.

Though used at the same time, the encryption processes are completely separate. The data encryption keys are derived from different key material.

To learn how using more than one encryption type affects another, refer to Onboard to Shield Platform Encryption in Salesforce Help.