Encryption and Compliance for Government Cloud

Salesforce Shield is a trio of security tools that builds extra levels of trust, compliance, and governance into your business-critical apps. It includes Salesforce Shield Platform Encryption, Event Monitoring, and Field Audit Trail. Salesforce Shield provides an additional layer of data protection with Government Cloud. By default, Shield Platform Encryption implements FIPS 140-validated encryption at rest at the volume level.

Salesforce gives you control over what fields and files you encrypt. Shield Platform Encryption uses strong, probabilistic encryption by default on data stored at rest. Shield Platform Encryption uses the FIPS-validated Advanced Encryption Standard (AES) with 256-bit keys that use cipher block chain (CBC) mode and random initialization vector.

Data Encryption Versus Functionality

Encrypting data at rest can be difficult when you’re trying to preserve Salesforce functionality. To improve Salesforce functionality while encrypting data at rest, use a static initialization vector instead of a random initialization vector. Static initialization vector, also known as deterministic encryption, isn’t FIPS-validated.

If you have concerns or questions after you review your Salesforce configuration, work with a partner or Salesforce Customer Support. Together you can assess the risk of deterministic encryption and, if applicable, the functional impact of switching to probabilistic encryption.