You are here:
Database Encryption Happens in the Data Tier
The Lightning Platform’s foundation for Database Encryption is a fragment-driven architecture that supports multitenant transactional operations. It encrypts within the data tier.
Unlike FLE and the other features which are encrypted in the application tier, Database Encryption is applied at the transactional data tier. It encrypts all data in the transactional database without impeding filtering, sorting, or interfering with the many Salesforce features that rely on those actions. All transactional data, including standard fields, custom fields, custom metadata, and apex data is encrypted.
Cryptographic Library and Algorithms
For Database Encryption, Shield Platform Encryption uses the JCE to encrypt and decrypt data. Specifically, Shield Platform Encryption uses the AES- 256 in GCM mode with a random IV.
Like encryption at the field level, the secure key materials for Database Encryption are retrieved from the regional KMS. With Database Encryption, the encryption services reside within the transactional database and apply encryption at the database fragment level. That is, the smallest unit of encryption for Database Encryption is a database fragment, typically 64 KB or smaller.
