You are here:
Application Tier and Data Tier Encryption
Application tier encryption refers to encryption for specific Salesforce features, such as Field-Level Encryption, Chatter, Event Bus Data, and CRM Analytics data. The at-rest data for each features is encrypted using a feature-specific data encryption key (DEK). Encryption at the Data tier refers to encryption at the underlying data level, such as with Database Encryption. It covers everything in the transactional database, regardless of which feature makes use of the data.
Application tier encryption happens before data tier encryption. So when Database Encryption is enabled, any feature-specifc encryption that is enabled benefits from two encryptions. This redundant encryption has no effect on performance.
Database Encryption vs FLE
In this guide, we focus on FLE as the representative application tier feature. To learn more about the other application tier products, refer to What You Can Encrypt in Help.
Database Encryption and Field-Level Encryption are different features, and each has different advantages and limitations.
- To benefit from Database Encryption, your org must be in Hyperforce.
- Application tier encryption supports Salesforce-generated keys, Bring Your Own Key (BYOK), Cache-only keys, and External Key Management (EKM) options.
- Database Encryption supports Salesforce-generated keys and BYOK.
- Application tier encryption provides the ability to archive and destroy keys.
- Database Encryption supports key archiving.
- Application tier encryption provides the ability to synchronize all of your encrypted data with the most recent encryption key by hand. Database Encryption doesn’t.
- Database Encryption provides full filtering, querying, searching, and sorting of the data that it encrypts.
- Field-Level Encryption—the feature that enables you to exercise fine-grain control over record data—has some restrictions on filtering, querying, searching, and sorting.
