Introduction to Shield Platform Encryption

Salesforce Shield Platform Encryption

Join us to learn about Salesforce Shield Platform Encryption. Salesforce Shield is a trio of security tools that helps admins and developers build extra levels of trust, compliance, and governance right into business-critical apps. It includes Shield Platform Encryption, Event Monitoring, and Field Audit Trail. Ask your Salesforce administrator if Salesforce Shield is available in your organization

What is Salesforce Shield Platform Encryption?

Shield Platform Encryption relies on a unique tenant secret that you control and a master secret that’s maintained by Salesforce. By default, we combine these secrets to create your unique data encryption key. You can also supply your own final data encryption key. We use your data encryption key to encrypt data that your users put into Salesforce, and to decrypt data when your authorized users need it

  • Adds new layer of security
  • Encrypt sensitive data at rest
  • Encryption key material is never saved or shared across orgs.
  • Customer driven encryption key
  • Available for free in Developer Edition orgs.

Need for Shield Platform Encryption

We need Shield platform encryption for

  1. Compliance requirements
  2. Contractual obligations

Classic Encryption Vs Shield Platform Encryption

Let see what’s the difference between Classic Encryption and Shield Platform Encryption?

FeatureClassic EncryptionPlatform Encryption
PricingIncluded in base user licenseAdditional fee applies
Encryption at RestYesYes
Encryption Algorithm128-bit Advanced Encryption Standard (AES)256-bit Advanced Encryption Standard (AES)
Encrypted Standard FieldsNoYes
Encrypted Custom FieldsDedicated custom field type, limited to 175 charactersYes
Manage Encryption Keys PermissionNoYes

Shield Platform Encryption Process Flow

Let understand how the shield platform encryption work behind the screen.

Salesforce Shield Platform Encryption Process Flow

Type of Salesforce Encryption

Type of Salesforce Encryption

Probabilistic Encryption

  1. Introduces an element of chance
  2. Source text repeatedly encrypted with the same key will normally yield different ciphertext. 
  3. Example – ‘hello world’ won’t always correspond to the same ciphertext.
  4. By default, probabilistic encryption in Salesforce.  
  5. No filtering
  6. It is recommended to use probabilistic encryption whenever data in a field will not need to be filtered on.

Custom Fields – Cannot

  1. encrypted custom fields in criteria-based sharing rules.
  2. Some custom fields can’t be encrypted.
  3. Schema Builder to create an encrypted custom field.
  4. Formula fields


Can’t include fields encrypted with the probabilistic encryption scheme in the following SOQL and SOSL clauses and functions:

  1. Aggregate functions such as MAX(), MIN(), and COUNT_DISTINCT()
  2. WHERE clause
  3. GROUP BY, ORDER BY clause

Deterministic Encryption

  1. Enable users to filter on encrypted data. 
  2. Uses a static initialization vector (IV) so that encrypted data can be matched to a particular field value. 
  3. Unique IV for a field in an org and can only be decrypted with your org-specific encryption key. 
  4. Ciphertext- can be repeatedly produced, given the same source text and key. 
  5. Example – ‘hello world’ == ‘&yy/ m/jyp’
  6. Case-Sensitive/Case-Insensitive

Planning for building apps with Platform Encryption

Planning for building apps with Platform Encryption

Best Practices for Platform Encryption

Before implementing Salesforce shield platform encryption let understand the best practices of platform encryption.

Best Practices for Platform Encryption

Key Management & Self-Service Background Encryption

Newly created and edited data are automatically encrypted with the most recent key. Existing data doesn’t automatically get encrypted. Self-Service Background Encryption. Synchronizing your data encryption doesn’t modify the record LastModifiedDate or LastModifiedById timestamps.

Shield Platform Encryption after sandbox refresh



Shield Platform Encryption allows you to natively encrypt your most sensitive data at rest across all your Salesforce apps. Encrypting data at rest adds another layer of protection to PII, sensitive, confidential, or proprietary data.

Amit Chaudhary

Amit Chaudhary

Amit Chaudhary is Salesforce Application & System Architect and working on Salesforce Platform since 2010. He is Salesforce MVP since 2017 and have 17 Salesforce Certificates. He is a active blogger and founder of Apex Hours.

Share this article

Leave a reply

Subscribe for Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 3,541 other subscribers

Our Supporter


Apex Hours

Apex Hours is one stop platform to learn Salesforce skills and technology

Join our Newsletter and get tips and tricks how to explore the salesforce for free!