Join us to learn about Salesforce Shield Platform Encryption. Salesforce Shield is a trio of security tools that helps admins and developers build extra levels of trust, compliance, and governance right into business-critical apps. It includes Shield Platform Encryption, Event Monitoring, and Field Audit Trail. Ask your Salesforce administrator if Salesforce Shield is available in your organization
Whats is Shield Platform Encryption?
Shield Platform Encryption relies on a unique tenant secret that you control and a master secret that’s maintained by Salesforce. By default, we combine these secrets to create your unique data encryption key. You can also supply your own final data encryption key. We use your data encryption key to encrypt data that your users put into Salesforce, and to decrypt data when your authorized users need it
- Adds new layer of security
- Encrypt sensitive data at rest
- Encryption key material is never saved or shared across orgs.
- Customer driven encryption key
- Available for free in Developer Edition orgs.
Need for Shield Platform Encryption
We need Shield platform encryption for
- Compliance requirements
- Contractual obligations
Classic Encryption Vs Shield Platform Encryption
Let see what’s the difference between Classic Encryption and Shield Platform Encryption?
| Feature | Classic Encryption | Platform Encryption |
| Pricing | Included in base user license | Additional fee applies |
| Encryption at Rest | Yes | Yes |
| Encryption Algorithm | 128-bit Advanced Encryption Standard (AES) | 256-bit Advanced Encryption Standard (AES) |
| Masking | Yes | No |
| Encrypted Standard Fields | No | Yes |
| Encrypted Custom Fields | Dedicated custom field type, limited to 175 characters | Yes |
| Manage Encryption Keys Permission | No | Yes |
Shield Platform Encryption Process Flow
Let understand how the shield platform encryption work behind the screen.
Type of Salesforce Encryption
Probabilistic Encryption
- Introduces an element of chance
- Source text repeatedly encrypted with the same key will normally yield different ciphertext.
- Example – ‘hello world’ won’t always correspond to the same ciphertext.
- By default, probabilistic encryption in Salesforce.
- No filtering
- It is recommended to use probabilistic encryption whenever data in a field will not need to be filtered on.
Custom Fields – Cannot
- encrypted custom fields in criteria-based sharing rules.
- Some custom fields can’t be encrypted.
- Schema Builder to create an encrypted custom field.
- Formula fields
SOQL/SOSL
Can’t include fields encrypted with the probabilistic encryption scheme in the following SOQL and SOSL clauses and functions:
- Aggregate functions such as MAX(), MIN(), and COUNT_DISTINCT()
- WHERE clause
- GROUP BY, ORDER BY clause
Deterministic Encryption
- Enable users to filter on encrypted data.
- Uses a static initialization vector (IV) so that encrypted data can be matched to a particular field value.
- Unique IV for a field in an org and can only be decrypted with your org-specific encryption key.
- Ciphertext- can be repeatedly produced, given the same source text and key.
- Example – ‘hello world’ == ‘&yy/ m/jyp’
- Case-Sensitive/Case-Insensitive
Planning for building apps with Platform Encryption
Best Practices for Platform Encryption
Before implementing Salesforce shield platform encryption let understand the best practices of platform encryption.
Key Management & Self-Service Background Encryption
Newly created and edited data are automatically encrypted with the most recent key. Existing data doesn’t automatically get encrypted. Self-Service Background Encryption. Synchronizing your data encryption doesn’t modify the record LastModifiedDate or LastModifiedById timestamps.
Shield Platform Encryption after sandbox refresh
Recording
Summary
Shield Platform Encryption allows you to natively encrypt your most sensitive data at rest across all your Salesforce apps. Encrypting data at rest adds another layer of protection to PII, sensitive, confidential, or proprietary data.
