Join us to learn about Salesforce Shield Platform Encryption. Salesforce Shield is a trio of security tools that helps admins and developers build extra levels of trust, compliance, and governance right into business-critical apps. It includes Shield Platform Encryption, Event Monitoring, and Field Audit Trail. Ask your Salesforce administrator if Salesforce Shield is available in your organization

Whats is Shield Platform Encryption?

Shield Platform Encryption relies on a unique tenant secret that you control and a master secret that’s maintained by Salesforce. By default, we combine these secrets to create your unique data encryption key. You can also supply your own final data encryption key. We use your data encryption key to encrypt data that your users put into Salesforce, and to decrypt data when your authorized users need it

• Adds new layer of security
• Encrypt sensitive data at rest
• Encryption key material is never saved or shared across orgs.
• Customer driven encryption key
• Available for free in Developer Edition orgs.

Need for Shield Platform Encryption

We need Shield platform encryption for

1. Compliance requirements
2. Contractual obligations

Classic Encryption Vs Shield Platform Encryption

Let see what’s the difference between Classic Encryption and Shield Platform Encryption?

Feature	Classic Encryption	Platform Encryption
Pricing	Included in base user license	Additional fee applies
Encryption at Rest	Yes	Yes
Encryption Algorithm	128-bit Advanced Encryption Standard (AES)	256-bit Advanced Encryption Standard (AES)
Masking	Yes	No
Encrypted Standard Fields	No	Yes
Encrypted Custom Fields	Dedicated custom field type, limited to 175 characters	Yes
Manage Encryption Keys Permission	No	Yes

Shield Platform Encryption Process Flow

Let understand how the shield platform encryption work behind the screen.

Type of Salesforce Encryption

Probabilistic Encryption

1. Introduces an element of chance
2. Source text repeatedly encrypted with the same key will normally yield different ciphertext. 
3. Example – ‘hello world’ won’t always correspond to the same ciphertext.
4. By default, probabilistic encryption in Salesforce.  
5. No filtering
6. It is recommended to use probabilistic encryption whenever data in a field will not need to be filtered on.

Custom Fields – Cannot

1. encrypted custom fields in criteria-based sharing rules.
2. Some custom fields can’t be encrypted.
3. Schema Builder to create an encrypted custom field.
4. Formula fields

SOQL/SOSL

Can’t include fields encrypted with the probabilistic encryption scheme in the following SOQL and SOSL clauses and functions:

1. Aggregate functions such as MAX(), MIN(), and COUNT_DISTINCT()
2. WHERE clause
3. GROUP BY, ORDER BY clause

Deterministic Encryption

1. Enable users to filter on encrypted data. 
2. Uses a static initialization vector (IV) so that encrypted data can be matched to a particular field value. 
3. Unique IV for a field in an org and can only be decrypted with your org-specific encryption key. 
4. Ciphertext- can be repeatedly produced, given the same source text and key. 
5. Example – ‘hello world’ == ‘&yy/ m/jyp’
6. Case-Sensitive/Case-Insensitive

Planning for building apps with Platform Encryption

Best Practices for Platform Encryption

Before implementing Salesforce shield platform encryption let understand the best practices of platform encryption.

Key Management & Self-Service Background Encryption

Newly created and edited data are automatically encrypted with the most recent key. Existing data doesn’t automatically get encrypted. Self-Service Background Encryption. Synchronizing your data encryption doesn’t modify the record LastModifiedDate or LastModifiedById timestamps.

Shield Platform Encryption after sandbox refresh

Recording

Summary

Shield Platform Encryption allows you to natively encrypt your most sensitive data at rest across all your Salesforce apps. Encrypting data at rest adds another layer of protection to PII, sensitive, confidential, or proprietary data.