General Shield Platform Encryption Considerations

General

• Encrypted fields (standard or custom) can’t be used in:
  • Criteria-based sharing rules
  • Similar opportunities searches
  • External lookup relationships
• Fields encrypted with the probabilistic encryption scheme can’t be used in filter criteria for data management tools. For considerations specific to filter-preserving deterministic encryption, read Considerations for Using Deterministic Encryption.
• Web-to-Case is supported, but the Web Company, Web Email, Web Name, and Web Phone fields aren’t encrypted at rest.

Leads

Lead and Case assignment rules, workflow rules, and validation rules work normally when Lead fields are encrypted. Matching and de-duplication of records during lead import works with deterministic encryption but not probabilistic encryption. Einstein Lead Scoring isn’t available.

Apex Lead Conversion works normally, but PL-SQL-based lead conversion isn’t supported.

User Email

Many Salesforce features rely on the User Email field. These products and features behave differently when User Email is encrypted.

• If the Email field on the User object is encrypted with field-level encryption, you don’t receive critical Product & Service Notifications, including emails about org migrations, from Salesforce.
• User Email is unencrypted with Lightning Sync and Einstein Activity Capture without Sync Email as Salesforce Activity. These features duplicate the User Email field in the database when users are added to sync configurations for those products. Even if you encrypt the User Email field with Shield Platform Encryption, this duplicate field stores user emails in the Salesforce database in an unencrypted state. For more information, see Considerations for Syncing Contacts, Considerations for Syncing Events, and Considerations for Setting Up Einstein Activity Capture. If you use Einstein Activity Capture with Sync Email as Salesforce Activity, encryption on email fields is supported.
• Event functionality that relies on user emails, especially calendar invitations, can be interrupted. Before encrypting the User Email field in production environments, Salesforce recommends that you test Activity features in a sandbox.
• You can’t sort records in list views by fields that contain encrypted data. If you encrypt User email, you can’t add it as a filter in reports.
• Login Discovery Handler lookups that rely on emails don’t work if the email field is encrypted, which can block user logins. If your lookups rely on emails, don’t encrypt the User Email field.
• If you use Einstein Conversation Insights, encrypt User Email with case-insensitive deterministic encryption. Some Einstein Conversation Insights features, including video calls, don’t work when User Email is encrypted with probabilistic encryption.

Flows, Orchestrations, and Processes

You can reference encrypted fields in most places in your flows, orchestrations, and processes. However, you can’t reference encrypted fields in these filtering or sorting contexts.

You can store the value from an encrypted field in a variable and operate on that value in your flow’s logic. You can also update the value for an encrypted field.

Paused flow interviews of any type can cause data to be saved in an unencrypted state. When a flow or process is waiting to resume, the associated flow interview is serialized and saved to the database. The flow interview is serialized and saved when:

• Users pause a flow.
• Flows execute a Wait element.
• Orchestrations execute asynchronous background steps, interactive steps, or MuleSoft steps.
• Processes are waiting to execute scheduled actions.

If the flow, orchestration, or process loads encrypted fields into a variable during these processes, that data isn’t always encrypted at rest.

Performance

Your users are unlikely to detect any difference in the performance of their day-to-day use of Salesforce when Shield Platform Encryption is enabled. Before enabling it in your production org, we recommend that you enable Shield Platform Encryption in a full copy sandbox and test it under real-world conditions.

Encryption Job Overloading

Although the performance effects on user experience are negligible when Shield Platform Encryption is enabled, application-tier encryption and decryption operations do require some time. If you anticipate needing to encrypt or decrypt many individual fields across multiple objects, we recommend batching these operations, especially if the task affects millions of records. Otherwise, your user's ability to search and retrieve results could be compromised longer than is optimal due to interruptions in the message queue.

Note Database Encryption is fully transparent and not subject to this issue.

Next Best Action Recommendations

When you use probabilistic encryption, you can’t use encrypted fields like Recommendation Description when you specify conditions to load recommendations.

Custom Fields

As with standard fields, you can’t use encrypted custom fields in criteria-based sharing rules.

Some custom fields can’t be encrypted.

• Fields that have the Unique or External ID attributes or include these attributes on previously encrypted custom fields (applies only to fields that use the probabilistic encryption scheme)
• Fields on external data objects
• Fields that are used in an account contact relation

You can’t use Schema Builder to create an encrypted custom field.

You can’t use Shield Platform Encryption with Custom Metadata Types.

Formula fields that refer encrypted fields can't be used in Case Feed.

Deploying Packages

Salesforce doesn’t impose a hard limit on the number of fields that you can encrypt, but there is one functional limitation. If you have Shield Platform Encryption enabled and you want to deploy packages, you can only deploy 80 fields at a time. If you configure 80 or more fields to encrypt, you must deploy the package in phases, with fewer than 80 fields in each phase.

Masking Tradeoffs

Shield Platform Encryption doesn’t provide a masking feature, but it encrypts fields that you configure with masking. We reserve a few values to notify you when the encryption key used for an encrypted masked field is unavailable or has been destroyed. The topic Why Isn't My Encrypted Data Masked? lists all the reserved masking notification strings.

SOQL and SOSL

Assemble where clauses according to the rules on The SOQL/SOSL Reference Page Comparison Operators. When you do use SOQL or SOSL, keep these things in mind:

• You can’t include fields encrypted with the probabilistic encryption scheme in these SOQL and SOSL clauses and functions.
  • Aggregate functions such as MAX(), MIN(), and COUNT_DISTINCT()
  • WHERE clause
  • GROUP BY clause
  • ORDER BY clause

  You can use SOQL WHERE with non formula fields encrypted with deterministic encryption.

  For information about SOQL and SOSL compatibility with deterministic encryption, see Considerations for Using Deterministic Encryption.

  

  Tip You can sometimes get better results by replacing a WHERE clause within a SOQL query with a FIND query using SOSL. Keep in mind that this workaround has its own limitations. See Salesforce Object Search Language and SOSL Limits on Search Results.
• When you query encrypted data, invalid strings return an INVALID_FIELD error instead of the expected MALFORMED_QUERY.

Marketing Cloud Account Engagement

Account Engagement supports contact email addresses encrypted by Shield Platform Encryption as long as your instance meets a few conditions. Your org must allow multiple prospects with the same email address. After this feature is enabled, you can add the contact email address field to your encryption policy.

Because the contact email address shows in the Permission object, users must have permission to view the Prospect object.

If you encrypt the contact email address field, the Salesforce Connector can’t use the email address as a secondary prospect match criteria. For more information, read Salesforce Connector Settings.

Portals

If a legacy portal (created before 2013) is enabled in your org, you can’t encrypt standard fields. To enable encryption on standard fields, deactivate all legacy customer and partner portals. (Salesforce Experience Cloud sites are supported.)

To deactivate a legacy customer portal, go to the Customer Portal Settings page in Setup. To deactivate a legacy partner portal, go to the Partners page in Setup.

Salesforce B2B Commerce

Shield Platform Encryption supports version 4.10 and later of the Salesforce B2B Commerce managed package, with some behavior differences. For a complete list of considerations, see Enable Shield Platform Encryption for B2B Commerce for Visualforce Objects.

Search

If you encrypt fields with a key and then destroy the key, the corresponding search terms remain in the search index. However, you can’t decrypt the data associated with the destroyed key.

Accounts, Person Accounts, and Contacts

When Person Accounts are turned on, encrypting any of these Account fields encrypts the equivalent Contact fields, and vice versa.

• Name
• Description
• Phone
• Fax

When you encrypt any of these Account or Contact fields, the equivalent fields in Person Accounts are also encrypted.

• Name
• Description
• Mailing Address
• Phone
• Fax
• Mobile
• Home Phone
• Other Phone
• Email

When the Account Name or Contact Name field is encrypted with deterministic or probabilistic encryption, searching for duplicate accounts or contacts to merge doesn’t return any results. With deterministic encryption, searching for duplicate accounts or contacts to merge will find duplicates.

When you encrypt the First Name or Last Name field on a contact, that contact appears in the Calendar Invite lookup only if you haven’t filtered by First Name or Last Name.

Data copied from an encrypted Contact field to a Quote field isn't encrypted.

Email Bounce Handling

Bounce handling doesn’t support encrypted email addresses. If you need email bounce handling, don’t encrypt the standard Email field.

Email-to-Case

Copying text from email fields also copies Unicode characters embedded in email text. Two of those Unicode character sequences, \uFFFE and \uFFFF, can’t be included in text encrypted by Shield Platform Encryption. If you encounter an error mentioning these Unicode sequences, delete the text copied from the email field and type it manually.

Activity Subject and Description

You can encrypt an Activity Subject field with case-insensitive encryption. If you destroy key material that encrypts a field, filtering on the field doesn’t yield matches.

If you encrypt the Activity Subject field and it’s used in a custom picklist, delete and replace actions aren’t available for that value. To remove an Activity Subject value from a picklist, deactivate it.

Activity Subject fields that include an OrgID aren’t copied over when you create a sandbox copy of a production org.

Encrypting Activity Description also encrypts the Task Comment field. The validation email lists the Task Comment field but not Activity Description, even though both fields are encrypted.

Salesforce for Outlook

If you encrypt the same fields that you filter in Salesforce for Outlook datasets, Salesforce for Outlook doesn’t sync. To get Salesforce for Outlook to sync again, remove the encrypted fields from your filters in your datasets.

Campaigns

Campaign member search isn’t supported when you search by encrypted fields.

Notes

You can encrypt the body text of Notes created with the new Notes tool. However, the Preview file and Notes created with the old Notes tool aren’t supported.

Field Audit Trail

Data in a previously archived Field Audit Trail isn’t encrypted when you turn on Platform Encryption. For example, say that your org uses Field Audit Trail to define a data history retention policy for an account field, such as the phone number field. When you turn on encryption for that field, new phone number records are encrypted as they’re created. Previous updates to the phone number field that are stored in the Account History related list are also encrypted. However, phone number history data that is already archived in the FieldHistoryArchive object is stored without encryption. To encrypt previously archived data, contact Salesforce.

Salesforce Experiences

If you encrypt the Account Name field and you’re not using Person Accounts, encryption affects how users’ roles are displayed to admins. Normally, a site user’s role name is displayed as a combination of their account name and the name of their user profile. When you encrypt the Account Name field, the account ID is displayed instead of the account name.

For example, when the Account Name field isn’t encrypted, users belonging to the Acme account with the Customer User profile would have a role called Acme Customer User. When Account Name is encrypted (and Person Accounts aren’t in use), the role is displayed as something like 001D000000IRt53 Customer User.

Data Import Wizard

You can’t use the Data Import Wizard to perform matching by using master-detail relationships or update records that contain fields that use the probabilistic encryption scheme. You can use it to add new records, however.

Reports, Dashboards, and List Views

• Report charts and dashboard components that display encrypted field values might be cached unencrypted.
• You can’t sort records in list views by fields that contain encrypted data.
• Some fields that are encrypted with probabilistic encryption aren't available when you create reports, dashboards, or list views.

Encryption for Chatter

When you embed a custom component in your Chatter feed by using Rich Publisher Add-Ons, the data related to those add-ons is encoded, but it isn’t encrypted with the Shield Platform Encryption service. Unencrypted data in Rich Publisher Add-Ons includes data stored in the Extension ID, Text Representation, Thumbnail URL, Title, Payload, and PayloadVersion fields.

Encryption for Custom Matching Rules Used in Duplicate Management

Custom matching rules can only reference fields encrypted with the deterministic encryption scheme. Probabilistic encryption isn’t supported. When you rotate your keys, you must deactivate and then reactivate custom matching rules that reference encrypted fields. If you don’t take this step after updating your key material, matching rules don’t find all your encrypted data.

Standard matching rules that include fields with Shield Platform Encryption don’t detect duplicates. If you encrypt a field included in standard matching rules, deactivate the standard rule.

Service protections ensure that loads are balanced across the system. The matching service searches for match candidates until it finds all matches up to 200 matches. With Shield Platform Encryption, the service search maximum is 100 candidates. With encryption, you could find fewer or no possible duplicate records.

Duplicate jobs aren’t supported.

Self-Service Background Encryption

Self-service background encryption can encrypt data once every 7 days. This limit includes synchronization processes initiated from the Encryption Statistics and Data Sync page, synchronization that automatically runs when you disable encryption on a field, and synchronization completed by Salesforce Customer Support at your request.

Some conditions prevent the self-service background encryption from running.

• There are more than 10 million records in an object.
• The org has destroyed key material.
• An object’s data is already synchronized.
• The synchronization process is already running, initiated by the customer or by Salesforce Customer Support at the customer’s request.
• Statistics are being gathered.
• An encryption policy change is being processed, such as enabling encryption on a field or data element.

After you begin the synchronization process, wait until it finishes before changing your encryption policy or generating, uploading, or deleting key material. These actions abort the synchronization process.

Note Self-Service Background Encryption is not available for Database Encryption.

Employees

If the email field is encrypted by using probabilistic encryption, wellness check surveys can’t be used. Deterministic encryption is fully supported.

Messaging End User

Encrypting fields on the Messaging End User object sometimes affects indexing. If you see performance degradation on these fields, manually create custom indexes on the affected fields after enabling encryption.