Loading
Salesforce now sends email only from verified domains. Read More
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Fundamental Concepts in Shield Platform Encryption

            You are here:

            1. Salesforce Help
            2. Docs
            3. Salesforce Shield Platform Encryption Architecture

            Fundamental Concepts in Shield Platform Encryption

            Salesforce Shield Platform Encryption is an advanced security feature that provides at-rest encryption for sensitive data. At its core, the platform uses a system of secrets, keys, and cryptographic materials to secure data. The main component is the data encryption key (DEK), which is the key that directly encrypts your data. By default, Salesforce uses a derivation function to derive DEKs from a set of key materials. We ensure that plaintext DEKs are never written to disk. These DEKs are instead derived on demand and stored in a secure cache.

            In this section you learn how Salesforce Shield Platform Encryption secures data at rest by using a multi-layered encryption approach. It details two main types of encryption—application Tier (represented by Field-Level Encryption) and data tier—and explores the key components that power them. You'll learn how Data Encryption Keys (DEKs) are derived from a combination of Salesforce- and customer-contributed materials, and how different key types, like tenant secrets and root keys, work together to protect your data. The text also highlights the distinct advantages and limitations of each encryption type, particularly regarding data querying and filtering capabilities.

            • Application Tier and Data Tier Encryption
              Application tier encryption refers to encryption for specific Salesforce features, such as Field-Level Encryption, Chatter, Event Bus Data, and CRM Analytics data. The at-rest data for each features is encrypted using a feature-specific data encryption key (DEK). Encryption at the Data tier refers to encryption at the underlying data level, such as with Database Encryption. It covers everything in the transactional database, regardless of which feature makes use of the data.
            • Tenant Secrets, Root Keys, DEKs, and More
              Central to encryption are the secrets and keys that the platform uses to encrypt and decrypt data. Throughout this guide, we refer to nearly a dozen types of secrets, materials, and keys that participate in the Shield Platform Encryption process. Before reading further, it’s helpful to understand how these parts relate to each other. A glossary at the end of the guide defines all the different secrets and material types that we discuss.
            • Shield Platform Encryption Products
              With Shield Platform Encryption, you have many options for security your data. You can encrypt
            • What Gets Encrypted?
              You can encrypt a variety of fields, files, and data with Shield Platform Encryption. Salesforce uses metadata to keep information in these files and fields secure while preserving the ability to perform common business tasks.
             
            Loading
            Salesforce Help | Article