You are here:
Encryption at Rest - Shield Platform Encryption (Add-On)
Salesforce Shield Platform Encryption is the add-on security feature of Salesforce that encrypts sensitive data at rest without breaking the features your team needs, like search and workflows.
Shield Platform Encryption includes the following capability to encrypt your data at rest:
- AES 256-Bit Encryption: Uses the industry-standard Advanced Encryption Standard with 256-bit keys.
- Flexible Key Management:
- Salesforce-Generated: Let Salesforce handle the key lifecycle.
- Bring Your Own Key (BYOK): You generate and manage your own "tenant secrets" outside Salesforce.
- Cache-Only Keys: Your keys are stored in your own external Key Management System (KMS) and are only briefly "cached" in Salesforce memory when needed, never hitting the disk.
- Two Encryption Schemes:
- Probabilistic Scheme
- Deterministic Scheme
- Broad Coverage: Unlike "Classic" encryption (which only handles a few custom fields), Shield can encrypt Standard Fields (like Name or Phone), Custom Fields, Files, Attachments, and even Search Indexes.
When configured, Shield Platform Encryption addresses the risk of data exposure at rest, protecting sensitive information from unauthorized access at the database and infrastructure levels rather than just the application level. By encrypting data as it is written to disk, it mitigates the "insider threat" of backend users or service providers viewing raw data, while also fulfilling stringent regulatory compliance requirements (such as HIPAA, GDPR, and FINRA) that demand proof of data custody. Furthermore, it addresses data sovereignty risks by allowing companies to maintain exclusive control over their encryption keys, making sure that even in a multi-tenant cloud environment, their most critical PII remains unreadable to anyone without the specific tenant-secret-derived key.
- Shield Platform Encryption (Add-On) Encryption Policy - Salesforce Managed Keys
Enable Tenant Secrets and rotate periodically. - Shield Platform Encryption (Add-On) Encryption Policy - Database Encryption
Enable Tenant Secrets and rotate periodically. - Shield Platform Encryption (Add-On) Encryption Policy - Enable Encryption on Supported Features
Enable encryption in the supported features. - Shield Platform Encryption (Add-On) Encryption Policy - Manage Data 360 Keys
Enable Data 360 encryption and manage the keys. - Shield Platform Encryption (Add-On) Encryption Policy - Restrict Access to Encryption Policy Settings
Periodic review of encryption-related permissions. - Shield Platform Encryption (Add-On) Encryption Policy - Enable Opt Out Key Derivation and BYOK
Using Bring Your Own Key (BYOK) feature as final data encryption key to encrypt sensitive data.
