You are here:
Synchronize Your Data Encryption with the Background Encryption Service
Periodically, you change your encryption policy. Or you rotate your keys. To get the most protection out of your encryption strategy with Shield Platform Encryption, synchronize new and existing encrypted data under your most recent encryption policy and keys. You can do this yourself or ask Salesforce for help.
When a change occurs, you have options for keeping your encryption policy up to date. You can synchronize most standard and custom field data yourself from the Encryption Statistics and Data Sync page in Setup. For all other data, Salesforce is here to help ensure data alignment with your latest encryption policy and tenant secret.
When We Do and Don’t Automatically Encrypt Your Data
- When you turn on encryption for specific fields or other data, newly created and edited data are automatically encrypted with the most recent key.
- Data that’s already in your org doesn’t automatically get encrypted. Our background encryption service takes care of that on request.
- When you change your tenant secret as part of your key rotation strategy, data that’s already encrypted remains encrypted with the old tenant secret. Our background encryption service can update it on request. And don’t worry, you always have access to your data as long as you don’t destroy the old, archived keys.
- If you turn off encryption, data that’s already there is automatically decrypted based on the relevant key. Any functionality impacted by having encrypted data is restored.
- If Salesforce support re-encrypts your data with a new key, any data that was encrypted with the destroyed key is skipped. To access data encrypted with a destroyed key, import a backup of the destroyed key.
What You Can Synchronize Yourself
You can synchronize most encrypted data yourself from the Encryption Statistics page in Setup. Self-service background encryption synchronizes:
- Standard and custom fields
- The Attachment—Content Body field
- Field history and feed tracking changes when the Encrypt Field History and Feed Tracking Values setting is turned on
Review specific tradeoffs for background sync with encryption in General Shield Platform Encryption Considerations, in the section Self-Service Background Encryption in Salesforce Help.
Database Encryption Synchronization
Database encryption operates on database fragments, which are encrypted with their own DEKs (derived from your database encryption tenant secret). As your users add and modify data, it’s reorganized into new immutable fragments, thereby re-encrypting the data in these fragments with the latest key. This process is organic and gradual. Therefore, synchronizing your data doesn’t apply. To learn more, see the Shield Platform Encryption Architecture Guide.
How to Request Background Encryption Service from Salesforce Customer Support
If you can't sync data yourself, contact Salesforce Customer Support for help. Keep these tips in mind when asking for help with syncing your data.
| Tip | Description |
|---|---|
| Allow lead time | Contact Salesforce support 2–3 business days before you need the background encryption completed. The time to complete the process varies based on the volume of data. It could take several days. |
| Specify the data | Provide the list of objects, field names, and data elements that you want encrypted or re-encrypted. |
| Verify the list | Verify that this list matches what's encrypted in Setup.
Also check that your field values aren't too long for encryption. |
| Include files and attachments? | Encryption for files and attachments is all or nothing. You don't have to specify which ones. |
| Include history and feed data? | Specify whether you want the corresponding field history and feed data encrypted. |
| Choose a time | Salesforce Customer Support can run the background encryption service Monday through Friday between 6 AM and 5 PM in your time zone. |
If you’re not sure which data is already encrypted, visit the Encryption Statistics page, which keeps a record of all fields that you have encrypted.
What if You Destroyed Your Key?
If your encryption key has been destroyed, your data can’t be automatically decrypted. You have some options for handling this data.
- Re-import the destroyed key from a backup, then ask Salesforce Customer Support to synchronize your data with your encryption policy.
- Delete all the data that was encrypted with the destroyed key, then ask Salesforce Customer Support to synchronize your data.
- Ask Salesforce Customer Support to mass overwrite the data that was encrypted with the destroyed key with "?????".
Keep these points in mind when disabling encryption on data encrypted with destroyed material.
- When you disable encryption for files that were encrypted with a key that’s been destroyed, the files don’t automatically go away. You can ask Salesforce support to delete the files.
- The automatic decryption process takes longer when you disable encryption on fields encrypted with a key that’s been destroyed. Salesforce notifies you by email when the process finishes.
- Sync Data with Self-Service Background Encryption
Synchronizing your data with your active key material keeps your encryption policy up to date. You can sync data in standard and custom fields, the Attachment—Content Body field, and for field history and feed tracking changes from the Encryption Statistics and Data Sync page in Setup. To synchronize all other encrypted data, contact Salesforce Customer Support.
