Moving to Shield Platform Encryption

The process of onboarding to Shield Platform Encryption requires a methodical, phase-based approach, as encryption applies to different data stores using distinct keys. The initial steps involve determining your encryption scope, classifying sensitive data, and setting up the foundational encryption policies. We recommend you make use of developer orgs and production sandboxes before rolling out any of the Shield Platform Encryption features.

You must generate your initial Tenant Secrets (such as the separate keys for Probabilistic Fields/Files and Deterministic Fields) in the Key Management settings. Once the keys are generated and active, you proceed to activate encryption feature by feature: enabling Field-Level Encryption for standard and custom fields, and activating encryption for core features like Chatter, Files, and Attachments.

Subsequent, more advanced onboarding steps address data stores that require dedicated key material for security isolation. This includes explicitly onboarding Search Index Encryption, which protects the search metadata derived from your encrypted data, and activating encryption for specialized services like CRM Analytics Data and Event Bus Data.

These encryption features do not exist in isolation. The order that you enable Shield Platform Encryption features can

Furthermore, you may want to make use of the advanced key management options like Bring Your Own Key (BYOK) and External Key Management (EKM), where you control the key material outside of Salesforce. Proper onboarding ensures that you not only encrypt data at rest but also manage the isolated keys effectively, minimizing impact on functionality while meeting strict security and compliance requirements.