Shield Platform Encryption Process Flow for Application Tier Encryption

Before data is encrypted, a Salesforce administrator must enable encryption and generate or supply key material. For the each field, file, attachment, and data element on which encryption is enabled in the application tier, the corresponding metadata in the UDD is updated to reflect the new encryption setting.

1. When a user saves encrypted data, the runtime engine determines from metadata whether the field, file, attachment, or data element must be encrypted before storing it in the database.
2. If the decision is to encrypt, the encryption service checks for the matching data encryption key in the encrypted key cache.
3. The encryption service determines if the key exists.
   1. If yes, the encryption service retrieves the key.
   2. If no, the service sends a derivation request to the regional Shield KMS and returns it to the encryption service running on the Lightning Platform. Data moving between the regional Shield KMS and the encryption service is encrypted by the TLS protocol, which uses a certificate signed by a dedicated Salesforce authority. This certificate’s private key is stored by the regional Shield KMS and the encryption service in an encrypted form. The certificate’s public and private keys are rotated regularly.
4. After retrieving or deriving the key, the encryption service generates a random IV and encrypts the data by using JCE’s AES-256 implementation.
5. The ciphertext is saved in the database or file storage. The IV and corresponding ID of the key material used to derive the data encryption key are saved in the database.