Differences Between Classic Encryption and Shield Platform Encryption
Shield Platform Encryption offers two paths toward encrypting data: Field-Level Encryption and Database Encryption. Both offer control over key material and encrypt a broader range of data than Classic Encryption. Each Shield Platform Encryption option offers different data coverage, key management options, and support for functionality such as filtering and sorting. Use the comparison table in this article to help you decide which option best meets your encryption requirements.
Required Editions
| Available in both Salesforce Classic (not available in all orgs) and Lightning Experience. |
| Available in: Enterprise, Performance, and Unlimited Editions with the Salesforce Shield or Shield Platform Encryption licenses. |
| Available for free in Developer Edition. |
| Feature | Classic Encryption | Field-Level Encryption | Database Encryption |
|---|---|---|---|
| Pricing | Included in base user license | Additional fee applies | Additional fee applies |
| Encryption at Rest |
|
|
|
| Native Solution (No Hardware or Software Required) |
|
|
|
| Encryption Algorithm | 128-bit Advanced Encryption Standard (AES) | 256-bit Advanced Encryption Standard (AES CBC) | 256-bit Advanced Encryption Standard (AES GCM) |
| HSM-based Key Derivation |
|
|
|
| Manage Encryption Keys Permission |
|
|
|
| Generate Keys |
|
|
|
| Store Encryption Keys Outside of Salesforce |
|
|
|
| Export, Import, and Destroy Keys |
|
|
|
| Advanced Key Options |
|
BYOK, Cache-only Keys, External Key Management | BYOK |
| PCI-DSS L1 Compliance |
|
|
|
| Masking |
|
No
(Why Isn’t my Encrypted Data Masked?)
|
No
(Why Isn’t my Encrypted Data Masked?)
|
| Mask Types and Characters |
|
|
|
| View Encrypted Data Permission Required to Read Encrypted Field Values |
|
|
|
| Encrypted Standard Fields |
|
|
All standard fields |
| Encrypted Attachments, Files, and Content |
|
|
|
| Encrypted Custom Fields | Dedicated custom field type, limited to 175 characters |
|
All custom fields |
| Encrypt Existing Fields for Supported Custom Field Types |
|
|
|
| Encrypt Custom Metadata and Apex |
|
|
|
| Search, Filters, and Queries |
|
UI, partial search, lookups, and certain SOSL queries on fields encrypted with the deterministic encryption scheme |
All SOSL and SOQL queries except on fields also encrypted with field-level encryption |
| Sorting |
|
|
Except on fields also encrypted with field-level encryption |
| Encrypt the Entire Database Including Standard and Custom Fields, Metadata, and Apex |
|
|
|
| API Access |
|
|
|
| Available in Workflow Rules and Workflow Field Updates |
|
|
|
| Available in Approval Process Entry Criteria and Approval Step Criteria |
|
|
|
