You are here:
What Gets Encrypted?
You can encrypt a variety of fields, files, and data with Shield Platform Encryption. Salesforce uses metadata to keep information in these files and fields secure while preserving the ability to perform common business tasks.
This table compares the features of Classic Encryption, application tier encryption, and data tier encryption:
| Item | Classic Encryption | Application Tier Encryption | Data tier Encryption |
|---|---|---|---|
| Pricing | Included in base user license | Additional fee applies | Additional fee applies |
| Encryption at Rest |
|
|
|
| Native Solution (No Hardware or Software Required) |
|
|
|
| Encryption Algorithm | 128-bit Advanced Encryption Standard (AES) | 256-bit Advanced Encryption Standard (AES CBC) | 256-bit Advanced Encryption Standard (AES GCM) |
| HSM-based Key Derivation |
|
|
|
| Manage Encryption Keys Permission |
|
|
|
| Generate Keys |
|
|
|
| Store Encryption Keys Outside of Salesforce |
|
|
|
| Export, Import, and Destroy Keys |
|
|
|
| Advanced Key Options |
|
BYOK, Cache-only Keys, External Key Management | BYOK |
| PCI-DSS L1 Compliance |
|
|
|
| Masking |
|
No (Why Isn’t my Encrypted Data Masked?)
|
No (Why Isn’t my Encrypted Data Masked?)
|
| Mask Types and Characters |
|
|
|
| View Encrypted Data Permission Required to Read Encrypted Field Values |
|
|
|
| Encrypted Standard Fields |
|
|
All standard fields |
| Encrypted Attachments, Files, and Content |
|
|
|
| Encrypted Custom Fields | Dedicated custom field type, limited to 175 characters |
|
All custom fields |
| Encrypt Existing Fields for Supported Custom Field Types |
|
|
|
| Encrypt Custom Metadata and Apex |
|
|
|
| Search, Filters, and Queries |
|
UI, partial search, lookups, and certain SOSL queries on fields encrypted with the deterministic encryption scheme |
All SOSL and SOQL queries except on fields also encrypted with field-level encryption |
| Sorting |
|
|
Except on fields also encrypted with field-level encryption |
| Encrypt the Entire Database Including Standard and Custom Fields, Metadata, and Apex |
|
|
|
| API Access |
|
|
|
| Available in Workflow Rules and Workflow Field Updates |
|
|
|
| Available in Approval Process Entry Criteria and Approval Step Criteria |
|
|
|
- What is Encrypted with Database Encryption?
Database Encryption encrypts the entire transactional database. All data stored within the database is encrypted to include standard and custom entities, all metadata, all setup configuration data, chatter posts, Einstein data, transaction logs, and storage catalogs. - What is Encrypted with Field-Level Encryption?
In contrast to Classic Encryption, which uses a custom field type in the Salesforce data model, Shield Platform Field-Level Encryption makes more fields, files, and data elements available for encryption with every release. - What is Encrypted with Search Index Encryption?
The Salesforce search engine is built on the open-source enterprise search platform software Apache Solr. The search index, which stores tokens of record data with links back to the original records stored in the database, is housed within Solr. - What is Encrypted with Files and Attachments Encryption?
Shield Platform Encyrption encrypt all files and attachments uploaded into Salesforce. The body of each file is ecrypted. If you have enabled Database Encryption, files and attachments smaller than 32K in size are stored directly within the transactional database and are under its encryption protection. Larger files are always stored as encrypted binary objects in a separate content store. - What is Encrypted with Event Change Data Encryption?
The event bus may store event and CDC data in temporary files as it flows through integrations and real-time processes. Turning on Event Bus Data encryption ensures that event bus data in these temporary storage locations is fully encrypted. - What is Encrypted with CRM Analytics Encryption?
When you enable CRM Analytics Encryption, all new reports, dashboards, and data sets are protected. - What is Encrypted with Chatter Encryption?
Chatter Encryption is an application tier encryption that covers data in feed posts and comments, questions and answers, link names, and URLs. It also includes poll choices and questions and content from your custom rich publisher apps.
