Salesforce Shield Platform
Encryption Implementation
Guide
@salesforcedocs
Last updated: April 19, 2018
© Copyright 2000–2018 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com, inc.,
as are other names and marks. Other marks appearing herein may be trademarks of their respective owners.
CONTENTS
Strengthen Your Data's Security with Shield Platform Encryption . . . . . . . . . . . . . . . . . . 1
Encrypt Fields, Files, and Other Data Elements With Encryption Policy . . . . . . . . . . . . . . . . . . . 2
Encrypt Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Encrypt Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Get Statistics About Your Encryption Coverage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Synchronize Your Data Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Fix Blockers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Retrieve Encrypted Data with Formulas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Apply Encryption to Fields Used in Matching Rules (Beta) . . . . . . . . . . . . . . . . . . . . . . . 12
Encrypt Data in Chatter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Encrypt Search Index Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Filter Encrypted Data with Deterministic Encryption (Beta) . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
How Deterministic Encryption Supports Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Encrypt Data Using the Deterministic Encryption Scheme . . . . . . . . . . . . . . . . . . . . . . . 15
Manage Shield Platform Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Generate a Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Rotate Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Export a Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Destroy a Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Stop Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
How Encryption Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Can I Bring My Own Encryption Key? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Encryptable Standard Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Encryptable Custom Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Encrypted Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Masked Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Encryption Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Behind the Scenes: The Search Index Encryption Process . . . . . . . . . . . . . . . . . . . . . . . 39
Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Sandbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Classic Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Encryption Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Encryption Trade-Offs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
General Trade-Offs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
App Trade-Offs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Considerations for Using Deterministic Encryption (Beta) . . . . . . . . . . . . . . . . . . . . . . . 50
Lightning Trade-Offs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Contents
Field Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
STRENGTHEN YOUR DATA'S SECURITY WITH SHIELD
PLATFORM ENCRYPTION
Shield Platform Encryption gives your data a whole new layer of security while preserving critical
EDITIONS
platform functionality. It enables you to encrypt sensitive data at rest, and not just when transmitted
over a network, so your company can confidently comply with privacy policies, regulatory Available as an add-on
requirements, and contractual obligations for handling private data. subscription in: Enterprise,
Shield Platform Encryption builds on the data encryption options that Salesforce offers out of the Performance, and
box. Data stored in many standard and custom fields and in files and attachments is encrypted Unlimited Editions. Requires
using an advanced HSM-based key derivation system, so it is protected even when other lines of purchasing Salesforce
defense have been compromised. Shield. Available in
Developer Edition at no
Your data encryption key is never saved or shared across organizations. Instead, it is derived on charge for orgs created in
demand from a master secret and your organization-specific tenant secret, and cached on an Summer ’15 and later.
application server.
Available in both Salesforce
You can try out Shield Platform Encryption at no charge in Developer Edition orgs. It is available in Classic and Lightning
sandboxes after it has been provisioned for your production org. Experience.
IN THIS SECTION:
Encrypt Fields, Files, and Other Data Elements With Encryption Policy
You have a lot of flexibility in how to implement your encryption policy. Encrypt individual fields and apply different encryption
schemes to those fields. Or choose to encrypt other data elements such as files and attachments, data in Chatter, or search indexes.
Remember that encryption is not the same thing as field-level security or object-level security. Put those controls in place before
you implement your encryption strategy.
Filter Encrypted Data with Deterministic Encryption (Beta)
You can filter data that you have protected with Salesforce Shield Platform Encryption using deterministic encryption. Your users
can filter records in reports and list views, even when the underlying fields are encrypted. Deterministic encryption supports WHERE
clauses in SOQL queries and is compatible with unique and external ID fields. It also supports single-column indexes and single-column
case-sensitive unique indexes. Shield Platform Encryption uses the Advanced Encryption Standard (AES) with 256-bit keys with CBC
mode, and a static initialization vector (IV).
Manage Shield Platform Encryption
To provide Shield Platform Encryption for your organization, contact your Salesforce account executive. They’ll help you provision
the correct license so you can get started on creating your own unique tenant secret.
How Shield Platform Encryption Works
Shield Platform Encryption relies on a unique tenant secret that you control and a master secret that's maintained by Salesforce. We
combine these secrets to create your unique data encryption key. We use that key to encrypt data that your users put into Salesforce,
and to decrypt data when your authorized users need it.
Platform Encryption Best Practices
Take the time to identify the most likely threats to your organization. This helps you distinguish data that needs encryption from
data that doesn’t, so that you can encrypt only what you need to. Make sure that your tenant secret and keys are backed up, and be
careful who you allow to manage your secrets and keys.
1
Strengthen Your Data's Security with Shield Platform Encrypt Fields, Files, and Other Data Elements With Encryption
Encryption Policy
Tradeoffs and Limitations of Shield Platform Encryption
A security solution as powerful as Shield Platform Encryption doesn't come without some tradeoffs. When your data is encrypted,
some users may see limitations to some functionality, and a few features aren't available at all. Consider the impact on your users
and your overall business solution as you design your encryption strategy.
Encrypt Fields, Files, and Other Data Elements With Encryption Policy
You have a lot of flexibility in how to implement your encryption policy. Encrypt individual fields
EDITIONS
and apply different encryption schemes to those fields. Or choose to encrypt other data elements
such as files and attachments, data in Chatter, or search indexes. Remember that encryption is not Available as an add-on
the same thing as field-level security or object-level security. Put those controls in place before you subscription in: Enterprise,
implement your encryption strategy. Performance, and
Unlimited Editions. Requires
IN THIS SECTION: purchasing Salesforce
Shield. Available in
Encrypt New Data in Fields Developer Edition at no
Select the fields you want to encrypt. For best results, encrypt the smallest possible number of charge for orgs created in
fields. Summer ’15 and later.
Encrypt New Files and Attachments Available in both Salesforce
For another layer of data protection, encrypt files and attachments. If Shield Platform Encryption Classic and Lightning
is on, the body of each file or attachment is encrypted when it’s uploaded. Experience.
Get Statistics About Your Encryption Coverage
The Encryption Statistics page provides an overview of all your encrypted data. This information
helps you to stay on top of your key rotation and management tasks. You can also use encryption statistics to identify which objects
and fields you may want to update after you rotate your key material.
Synchronize Your Data Encryption with the Background Encryption Service
Periodically, you’ll change your encryption policy. Or you’ll rotate your keys. To get the most protection out of your encryption
strategy, it's important to synchronize new and existing encrypted data under your most recent encryption policy and keys.
Fix Compatibility Problems
When you select fields or files to encrypt, Salesforce automatically checks for potential side effects and warns you if any existing
settings may pose a risk to data access or your normal use of Salesforce. You have some options for how to clear up these problems.
Use Encrypted Data in Formulas
Use custom formula fields to quickly find encrypted data. You can write formulas with several operators and functions, render
encrypted data in text, date, and date/time formats, and reference quick actions.
Apply Encryption to Fields Used in Matching Rules (Beta)
Matching rules used in duplicate management help you maintain clean and accurate data. Apply deterministic encryption to the
fields to make them compatible with standard and custom matching rules.
Encrypt Data in Chatter
Enabling Shield Platform Encryption for Chatter adds an extra layer of security to information that users share in Chatter. You can
encrypt data at rest in feed posts and comments, questions and answers, link names and URLs, poll questions and choices, and
content from your custom rich publisher apps.
Encrypt Search Index Files
Sometimes you need to search for personally identifiable information (PII) or data that’s encrypted in the database. When you search
your org, the results are stored in search index files. You can encrypt these search index files, adding another layer of security to your
data.
2
Strengthen Your Data's Security with Shield Platform Encrypt New Data in Fields
Encryption
Encrypt New Data in Fields
Select the fields you want to encrypt. For best results, encrypt the smallest possible number of
EDITIONS
fields.
Depending on the size of your organization, enabling a standard field for encryption can take a few Available as an add-on
minutes. subscription in: Enterprise,
Performance, and
1. Make sure that your organization has an active encryption key. If you’re not sure, check with
Unlimited Editions. Requires
your administrator.
purchasing Salesforce
2. From Setup, in the Quick Find box, enter Platform Encryption, and then select Shield. Available in
Encryption Policy. Developer Edition at no
charge for orgs created in
3. Click Encrypt Fields.
Summer ’15 and later.
4. Click Edit.
Available in both Salesforce
5. Select the fields you want to encrypt. Classic and Lightning
All new data entered in this field is encrypted. By default, data is encrypted using a probabilistic Experience.
encryption scheme. To apply deterministic encryption to your data, select Deterministic from
the Encryption Scheme list. To read more about deterministic encryption, see “How Deterministic
Encryption Supports Filtering” in Salesforce Help. USER PERMISSIONS
6. Click Save. To view setup:
The automatic Platform Encryption validation service checks for settings in your organization that • View Setup and
Configuration
can block encryption. You receive an email with suggestions for fixing any incompatible settings.
To encrypt fields:
Field values are automatically encrypted only in records created or updated after you’ve enabled
• Customize Application
encryption. Contact Salesforce to update existing records so that their field values are encrypted.
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the
difference?
SEE ALSO:
Which Standard Fields and Data Elements Can I Encrypt?
Which Custom Fields Can I Encrypt?
Field Limits with Shield Platform Encryption
Data Loader
Fix Compatibility Problems
Encrypt New Files and Attachments
3
Strengthen Your Data's Security with Shield Platform Encrypt New Files and Attachments
Encryption
Encrypt New Files and Attachments
For another layer of data protection, encrypt files and attachments. If Shield Platform Encryption is
EDITIONS
on, the body of each file or attachment is encrypted when it’s uploaded.
Note: Before you begin, make sure that your organization has an active encryption key; if Available as an add-on
you’re not sure, check with your administrator. subscription in: Enterprise,
Performance, and
1. From Setup, in the Quick Find box, enter Platform Encryption, and then select Unlimited Editions. Requires
Encryption Policy. purchasing Salesforce
2. Select Encrypt Files and Attachments. Shield. Available in
Developer Edition at no
3. Click Save. charge for orgs created in
Important: Users with access to the file can work normally with it regardless of their Summer ’15 and later.
encryption-specific permissions. Users who are logged in to your org and have read access Available in both Salesforce
can search and view the body content. Classic and Lightning
Users can continue to upload files and attachments per the usual file size limits. Expansion of file Experience.
sizes caused by encryption doesn’t count against these limits.
Turning on file and attachment encryption affects new files and attachments. It doesn’t automatically USER PERMISSIONS
encrypt files and attachments that were already in Salesforce. To encrypt existing files, contact
To view setup:
Salesforce.
• View Setup and
To check whether a file or attachment is encrypted, look for the encryption indicator on the detail Configuration
page of the file or attachment. You can also query the isEncrypted field on the ContentVersion To encrypt files:
object (for files) or on the Attachment object (for attachments). • Customize Application
Here’s What It Looks Like When a File Is Encrypted.
SEE ALSO:
Encrypt New Data in Fields
4
Strengthen Your Data's Security with Shield Platform Get Statistics About Your Encryption Coverage
Encryption
Get Statistics About Your Encryption Coverage
The Encryption Statistics page provides an overview of all your encrypted data. This information helps you to stay on top of your key
rotation and management tasks. You can also use encryption statistics to identify which objects and fields you may want to update after
you rotate your key material.
Available as an add-on subscription in: Enterprise, Performance, and Unlimited Editions. Requires purchasing Salesforce Shield.
Available in Developer Edition at no charge for orgs created in Summer ’15 and later.
Available in both Salesforce Classic and Lightning Experience.
IN THIS SECTION:
Gather Encryption Statistics
The Encryption Statistics page shows you how much of your data is encrypted by Shield Platform Encryption, and how much of that
data is encrypted by an active tenant secret. Use this information to inform your key rotation actions and timelines. You can also use
the Encryption Statistics page to collect information about the fields and objects you want to synchronize with the background
encryption service.
Interpret and Use Encryption Statistics
The Encryption Statistics page offers a snapshot of your encrypted data. You can use the information on this page to help make
informed decisions about managing your encrypted data.
Gather Encryption Statistics
The Encryption Statistics page shows you how much of your data is encrypted by Shield Platform
EDITIONS
Encryption, and how much of that data is encrypted by an active tenant secret. Use this information
to inform your key rotation actions and timelines. You can also use the Encryption Statistics page Available as an add-on
to collect information about the fields and objects you want to synchronize with the background subscription in: Enterprise,
encryption service. Performance, and
1. From Setup, in the Quick Find box, enter Platform Encryption, and then select Unlimited Editions. Requires
Encryption Statistics. purchasing Salesforce
Shield. Available in
2. Select an object type or custom object from the left pane. If you see a “--” in the Data Encrypted Developer Edition at no
or Uses Active Key columns, you haven’t gathered statistics for that object yet. charge for orgs created in
Summer ’15 and later.
Available in both Salesforce
Classic and Lightning
Experience.
USER PERMISSIONS
To view Setup
• View Setup and
Configuration
3. Click Gather Statistics.
4. Refresh the page.
5
Strengthen Your Data's Security with Shield Platform Get Statistics About Your Encryption Coverage
Encryption
The statistics show all available information about data for each object.
Note:
• The gathering process time varies depending on how much data you have in your object. You’re notified by email when the
gathering process is finished. You can gather statistics once every 24 hours.
• Feed Item doesn't display statistics because it's derived from Feed Post. Gathering statistics for Feed Post is sufficient to confirm
the encryption status of both Feed Post and Feed Item.
Interpret and Use Encryption Statistics
The Encryption Statistics page offers a snapshot of your encrypted data. You can use the information on this page to help make informed
decisions about managing your encrypted data.
Available as an add-on subscription in: Enterprise, Performance, and Unlimited Editions. Requires purchasing Salesforce Shield.
Available in Developer Edition at no charge for orgs created in Summer ’15 and later.
Available in both Salesforce Classic and Lightning Experience.
The page offers two views of your encrypted data: a summary view and a detail view.
Encryption Summary View
The summary shows all your objects and statistics about the data in those objects.
• Object—Lists your standard and custom objects. Data about standard objects are aggregated for all standard objects of a given
type. Data about custom objects are listed for each custom object.
• Data Encrypted—The total percentage of data in an object that’s encrypted. In the example above, 22% of all data in Account
objects in encrypted. The Case object shows 0%, meaning none of the data in any Case is encrypted.
• Uses Active Key—The percentage of your encrypted data in that object or object type that is encrypted with the active tenant
secret.
When the numbers in both Data Encrypted and Uses Active Key columns are the same, all your encrypted data uses your active
tenant secret. A double dash (--) means that statistics haven’t been gathered for that object or object type yet.
Encryption Detail View
When you select an object, you see detailed statistics about the data stored in that object.
• Field—All encryptable standard and custom fields in that object that contain data.
• API Name—The API name for fields that contain data.
6
Strengthen Your Data's Security with Shield Platform Synchronize Your Data Encryption with the Background
Encryption Encryption Service
• Encrypted Records—The number of encrypted values stored in a field type across all objects of given type. For example, you
select the Account object and see “9” in the Encrypted Records column next to Account Name. That means there are nine
encrypted records across all Account Name fields.
• Unencrypted Records—The number of plaintext values stored in a field type.
• Mixed Tenant Secret Status—Indicates whether a mixture of active and archived tenant secrets apply to encrypted data in a
field type.
• Mixed Schemes— Indicates whether a mixture of deterministic and probabilistic encryption schemes apply to encrypted data
in a field type.
Note: The following applies to both encrypted and unencrypted records:
• The records count for a field doesn’t include NULL or BLANK values. A field with NULL or BLANK values may show a different
(smaller) records count than the actual number of records.
• The records count for compound fields such as Contact.Name or Contact.Address may show a different (larger) records
count than the actual number of records. The count includes the two or more fields that are counted for every record.
Usage Best Practices
Use these statistics to make informed decisions about your key management tasks.
• Update encryption policies—The encryption statistics detail view shows you which fields in an object contain encrypted data.
Use this information to periodically evaluate whether your encryption policies match your organization’s encryption strategy.
• Rotate keys—You may want to encrypt all your data with your active tenant secret. Review the encryption summary pane on
the left side of the page. If the percentage in the Uses Active Key column is lower than the percentage in the Data Encrypted
column, some of your data uses an archived tenant secret. To synchronize your data, Contact Salesforce Customer Support.
• Synchronize data—Key rotation is an important part of any encryption strategy. When you rotate your key material, you may
want to apply the active key material to existing data. Review the Uses Active Key and Mixed Tenant Secret Status columns to
identify any fields that include data encrypted with an archived key. Make a note of these objects and fields, then contact
Salesforce Customer Support to request the background encryption job. Salesforce Customer Support can focus just on those
objects and fields you need to synchronize, keeping the background encryption job as short as possible.
Synchronize Your Data Encryption with the Background Encryption Service
Periodically, you’ll change your encryption policy. Or you’ll rotate your keys. To get the most protection out of your encryption strategy,
it's important to synchronize new and existing encrypted data under your most recent encryption policy and keys.
When change happens, Salesforce is here to help you synchronize your data. We can encrypt existing data in the background to ensure
data alignment with the latest encryption policy and tenant secret.
When We Do and Don’t Automatically Encrypt Your Data
• When you turn on encryption for specific fields or other data, newly created and edited data are automatically encrypted with the
most recent key.
• Data that’s already in your org doesn't automatically get encrypted. Our background encryption service takes care of that on request.
• When you change your tenant secret as part of your key rotation strategy, data that's already encrypted remains encrypted with the
old tenant secret. Our background encryption service can update it on request. And don't worry, you always have access to your
data as long as you don't destroy the old, archived keys.
• If you turn off encryption, data that’s already there is automatically decrypted based on the relevant key. Any functionality impacted
by having decrypted data is restored.
• If Salesforce support re-encrypts your data with a new key, any data that was encrypted with the destroyed key is skipped.
7
Strengthen Your Data's Security with Shield Platform Synchronize Your Data Encryption with the Background
Encryption Encryption Service
Note: Synchronizing your data encryption does not affect the record timestamp. It doesn't execute triggers, validation rules,
workflow rules, or any other automated service.
How to Request Background Encryption Service
Allow lead time
Contact Salesforce support at least a week before you need the background encryption completed. The time to complete the process
varies significantly based on the volume of data involved. It could take several days.
Specify the objects and fields
Provide the list of objects and field names you want encrypted or re-encrypted.
Verify the list
Verify that this list matches the set of standard fields selected on the Encrypt Standard Fields page, and the custom fields you selected
for encryption on the Field Definition page.
Tip: Also check that your field values aren’t too long for encryption.
Include files and attachments?
Encryption for files and attachments is all or nothing. You don't have to specify which ones.
Include history and feed data?
Specify whether you want the corresponding field history and feed data encrypted.
Choose a time
Select your preferred off-peak maintenance window. We try to accommodate your needs.
Tip: If you're not sure which data is already encrypted, visit the Encryption Statistics page, which keeps a record of all the fields
that you have encrypted.
Decrypting Data If the Key is Destroyed
It’s rare, but not impossible, that your encryption key has been destroyed. If so, your data can’t be automatically decrypted. To process
this data, you have some options.
• Reimport the destroyed key from a backup, then ask Salesforce support to synchronize your data with your encryption policy.
• Delete all the data that was encrypted with the destroyed key, then ask Salesforce support to synchronize your data.
• Ask Salesforce support to overwrite all the data that was encrypted with the destroyed key, using characters such as "?????", and
synchronize your data.
Note: When you disable encryption for files that were encrypted with a key that’s been destroyed, the files don’t automatically
go away. You can ask Salesforce support to delete the files.
8
Strengthen Your Data's Security with Shield Platform Fix Compatibility Problems
Encryption
Fix Compatibility Problems
When you select fields or files to encrypt, Salesforce automatically checks for potential side effects
EDITIONS
and warns you if any existing settings may pose a risk to data access or your normal use of Salesforce.
You have some options for how to clear up these problems. Available as an add-on
If your results include error messages, you're probably running into one or more of these limitations: subscription in: Enterprise,
Performance, and
Portals
Unlimited Editions. Requires
You can’t encrypt standard fields, because a customer portal or a partner portal is enabled in
purchasing Salesforce
your organization. To deactivate a customer portal, go to the Customer Portal Settings page in Shield. Available in
Setup. To deactivate a partner portal, go to the Partners page in Setup. Developer Edition at no
Note: Communities are not related to this issue. They are fully compatible with encryption. charge for orgs created in
Summer ’15 and later.
Criteria-Based Sharing Rules
Available in both Salesforce
You’ve selected a field that is used in a filter in a criteria-based sharing rule.
Classic and Lightning
SOQL/SOSL queries Experience.
You’ve selected a field that’s used in an aggregate function in a SOQL query, or in a WHERE,
GROUP BY, or ORDER BY clause.
Formula fields
You’ve selected a field that’s referenced by a custom formula field in an unsupported way. Formulas can use BLANKVALUE, CASE,
HYPERLINK, IF, IMAGE, ISBLANK, ISNULL, and NULLVALUE, as well as concatenation (&).
Flows and Processes
You’ve selected a field that’s used in one of these contexts.
• To filter data in a flow
• To sort data in a flow
• To filter data in a process
• To filter data in a dynamic record choice
• To sort data in a dynamic record choice
Note: By default, your results only list the first 250 errors per element. You can increase the number of errors listed in your
results to 5000. Contact Salesforce for help.
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
SEE ALSO:
Encrypt New Data in Fields
9
Strengthen Your Data's Security with Shield Platform Use Encrypted Data in Formulas
Encryption
Use Encrypted Data in Formulas
Use custom formula fields to quickly find encrypted data. You can write formulas with several
EDITIONS
operators and functions, render encrypted data in text, date, and date/time formats, and reference
quick actions. Available as an add-on
subscription in: Enterprise,
Performance, and
Supported Operators, Functions, and Actions Unlimited Editions. Requires
Supported operators and functions: purchasing Salesforce
Shield. Available in
• & and + (concatenate)
Developer Edition at no
• BLANKVALUE charge for orgs created in
• CASE Summer ’15 and later.
• HYPERLINK Available in both Salesforce
• IF Classic and Lightning
Experience.
• IMAGE
• ISBLANK
• ISNULL
• NULLVALUE
Also supported:
• Spanning
• Quick actions
Formulas can return data only in text, date, or date/time formats.
& And + (Concatenate)
This works:
(encryptedField__c & encryptedField__c)
Why it works: This works because & is supported.
This doesn’t work:
LOWER(encryptedField__c & encryptedField__c)
Why it doesn’t work: LOWER isn’t a supported function, and the input is an encrypted value.
Case
CASE returns encrypted field values, but doesn’t compare them.
This works:
CASE(custom_field__c, "1", cf2__c, cf3__c))
where either or both cf2__c and cf3__c are encrypted
10
Strengthen Your Data's Security with Shield Platform Use Encrypted Data in Formulas
Encryption
Why it works: custom_field__c is compared to “1”. If it is true, the formula returns cf2__c because it’s
not comparing two encrypted values.
This doesn’t work:
CASE("1", cf1__c, cf2__c, cf3__c)
where cf1__c is encrypted
Why it doesn’t work: You can’t compare encrypted values.
ISBLANK and ISNULL
This works:
OR(ISBLANK(encryptedField__c), ISNULL(encryptedField__c))
Why it works: Both ISBLANK and ISNULL are supported. OR works in this example because ISBLANK and
ISNULL return a Boolean value, not an encrypted value.
Spanning
This works:
(LookupObject1__r.City & LookupObject1__r.Street) &
(LookupObject2__r.City & LookupObject2__r.Street) &
(LookupObject3__r.City & LookupObject3__r.Street) &
(LookupObject4__r.City & LookupObject4__r.Street)
How and why you use it: Spanning retrieves encrypted data from multiple entities. For example, let’s say you work in the
customer service department for Universal Containers. A customer has filed a case about a distribution
problem, and you want to see the scope of the issue. You want all the shipping addresses related
to this particular case. This example returns all the customers’ shipping addresses as a single string
in your case layout.
Validation
The encryption validation service checks your org to make sure that it’s compatible with encrypted formula field types.
When you encrypt a given field, the validation service:
• Retrieves all formula fields that reference the field
• Verifies that the formula fields are compatible with encryption
• Verifies that the formula fields aren’t used elsewhere for filtering or sorting
Limits
Up to 200 formula fields can reference a given encrypted custom field. A field that is referenced by more than 200 formula fields can’t
be encrypted. If you need to reference an encrypted custom field from more than 200 formula fields, contact Salesforce.
11
Strengthen Your Data's Security with Shield Platform Apply Encryption to Fields Used in Matching Rules (Beta)
Encryption
When you specify multiple fields to encrypt at one time, the 200-field limit is applied to the whole batch. If you know that you are
encrypting fields that have multiple formula fields pointing to them, encrypt those fields one at a time.
Apply Encryption to Fields Used in Matching Rules (Beta)
Matching rules used in duplicate management help you maintain clean and accurate data. Apply
EDITIONS
deterministic encryption to the fields to make them compatible with standard and custom matching
rules. Available as an add-on
Note: This release contains a beta version of Encryption for Matching Rules Used in Duplicate subscription in: Enterprise,
Performance, and
Management, which means it’s a high-quality feature with known limitations. Encryption for
Unlimited Editions. Requires
Matching Rules Used in Duplicate Management isn’t generally available unless or until
purchasing Salesforce
Salesforce announces its general availability in documentation or in press releases or public
Shield. Available in
statements. We can’t guarantee general availability within any particular time frame or at all.
Developer Edition at no
Make your purchase decisions only on the basis of generally available products and features. charge for orgs created in
Contact Salesforce to enable both Deterministic Encryption and Encryption for Matching Rules Used Summer ’15 and later.
in Duplicate Management.
Available in both Salesforce
Ask an administrator with the Modify All Data permission to enable Deterministic Encryption Classic and Lightning
from the Platform Encryption Advanced Settings page. If you don’t have a Data in Salesforce Experience.
(Deterministic) type tenant secret, create one from the Platform Encryption Key Management page.
Important: Matching rules used in duplicate management don’t support probabilistically USER PERMISSIONS
encrypted data.
To view setup:
1. From Setup, in the Quick Find box, enter Matching Rules, and then select Matching • View Setup and
Rules. Configuration
2. Deactivate the matching rule that reference fields you want to encrypt. If your matching rule To enable encryption key
is associated with an active duplicate rule, first deactivate the duplicate rule from the Duplicate (tenant secret) management:
Rules page. Then return to the Matching Rules page and deactivate the matching rule. • Manage Profiles and
Permission Sets
3. From Setup, in the Quick Find box, enter Platform Encryption, and then select
Encryption Policy.
4. Click Encrypt Fields.
5. Click Edit.
6. Select the fields you want to encrypt, and select Deterministic from the Encryption Scheme list.
7. Click Save.
8. Reactivate your matching rule and associated duplicate management rule.
Example:
Tip: Follow this process to add encrypted fields to existing custom matching rules.
12
Strengthen Your Data's Security with Shield Platform Encrypt Data in Chatter
Encryption
Let’s say you recently encrypted Billing Address on your Contacts, and you want to add this field to a custom matching rule. First,
deactivate the rule or rules you want to add this field to. Make sure that Billing Address is encrypted with the deterministic encryption
scheme. Then add Billing Address to your custom matching rule, just like you would add any other field. Finally, reactivate your
rule.
You must update matching rules that reference encrypted fields when you rotate your key material. After you rotate your key material,
deactivate and then reactivate the affected matching rules. Then contact Salesforce to request the background encryption process.
When the background encryption process finishes, your matching rules can access all data encrypted with your active key material.
Encrypt Data in Chatter
Enabling Shield Platform Encryption for Chatter adds an extra layer of security to information that
EDITIONS
users share in Chatter. You can encrypt data at rest in feed posts and comments, questions and
answers, link names and URLs, poll questions and choices, and content from your custom rich Available as an add-on
publisher apps. subscription in: Enterprise,
To activate encryption for Chatter, contact Salesforce. Once encryption for Chatter is activated, we Performance, and
recommend that you test it in a dedicated Sandbox environment. Unlimited Editions. Requires
purchasing Salesforce
Unlike encryption for custom and standard fields, enabling encryption for Chatter encrypts all Shield. Available in
eligible Chatter fields. Developer Edition at no
1. To enable access to this feature, first contact Salesforce. charge for orgs created in
Summer ’15 and later.
2. Make sure that your org has an active encryption key. If you’re not sure, check with your
administrator. Available in both Salesforce
3. From Setup, in the Quick Find box, enter Platform Encryption, and then select Classic and Lightning
Experience.
Encryption Policy.
4. Click Encrypt Chatter.
USER PERMISSIONS
The automatic Shield Platform Encryption validation service checks for settings that could block
encryption. If the service finds potential problems, you’re sent an email with suggestions for fixing To view setup:
the problems. • View Setup and
Configuration
After you activate encryption for Chatter, new data that you enter into Chatter gets encrypted. To
encrypt historic Chatter, contact Salesforce. To encrypt fields:
• Customize Application
When you edit or update an encrypted Chatter field, the field’s revision history is also encrypted.
For example, if you update a post, the old version of the post remains encrypted.
If you enabled Encryption for Chatter in Spring ’17 and you want to access the most up-to-date features, deselect Encrypt Chatter and
then reselect Encrypt Chatter.
13
Strengthen Your Data's Security with Shield Platform Encrypt Search Index Files
Encryption
Encrypt Search Index Files
Sometimes you need to search for personally identifiable information (PII) or data that’s encrypted
EDITIONS
in the database. When you search your org, the results are stored in search index files. You can
encrypt these search index files, adding another layer of security to your data. Available as an add-on
1. From Setup, in the Quick Find box, enter Platform Encryption, and then select Key subscription in: Enterprise,
Management. Performance, and
Unlimited Editions. Requires
2. Select Search Index from the picklist.
purchasing Salesforce
3. Select Generate Tenant Secret. Shield. Available in
This new tenant secret encrypts only the data stored in search index files. Developer Edition at no
charge for orgs created in
4. From Setup, in the Quick Find box, enter Platform Encryption, and then select
Summer ’15 and later.
Encryption Policy.
5. Select Encrypt Search Indexes. Available in both Salesforce
Your search indexes are now encrypted with the active Search Index tenant secret. Classic and Lightning
Experience.
Filter Encrypted Data with Deterministic Encryption USER PERMISSIONS
(Beta) To view setup:
• View Setup and
You can filter data that you have protected with Salesforce Shield Platform Encryption using Configuration
deterministic encryption. Your users can filter records in reports and list views, even when the To enable encryption key
underlying fields are encrypted. Deterministic encryption supports WHERE clauses in SOQL queries (tenant secret) management:
and is compatible with unique and external ID fields. It also supports single-column indexes and • Manage Profiles and
single-column case-sensitive unique indexes. Shield Platform Encryption uses the Advanced Permission Sets
Encryption Standard (AES) with 256-bit keys with CBC mode, and a static initialization vector (IV).
Note: This release contains a beta version of deterministic encryption with case-sensitive
filtering, which means it’s a high-quality feature with known limitations. Deterministic
encryption with case-sensitive filtering isn’t generally available unless or until Salesforce
announces its general availability in documentation or in press releases or public statements.
We can’t guarantee general availability within any particular time frame or at all. Make your
purchase decisions based only on generally available products and features.
IN THIS SECTION:
How Deterministic Encryption Supports Filtering
By default, Salesforce encrypts data using a probabilistic encryption scheme. Each bit of data is turned into a fully random ciphertext
string every time it’s encrypted. Encryption doesn’t generally impact users who are authorized to view the data. The exceptions are
when logic is executed in the database or when encrypted values are compared to a string or to each other. In these cases, because
the data has been turned into random, patternless strings, filtering isn’t possible. For example, you might run a SOQL query in custom
Apex code against the Contact object, where LastName = 'Smith'. If the LastName field is encrypted with probabilistic encryption,
you can’t run the query. Deterministic encryption addresses this problem.
Encrypt Data Using the Deterministic Encryption Scheme
You apply deterministic encryption to a field by choosing this encryption scheme.
14
Strengthen Your Data's Security with Shield Platform How Deterministic Encryption Supports Filtering
Encryption
How Deterministic Encryption Supports Filtering
By default, Salesforce encrypts data using a probabilistic encryption scheme. Each bit of data is turned into a fully random ciphertext
string every time it’s encrypted. Encryption doesn’t generally impact users who are authorized to view the data. The exceptions are when
logic is executed in the database or when encrypted values are compared to a string or to each other. In these cases, because the data
has been turned into random, patternless strings, filtering isn’t possible. For example, you might run a SOQL query in custom Apex code
against the Contact object, where LastName = 'Smith'. If the LastName field is encrypted with probabilistic encryption, you can’t run the
query. Deterministic encryption addresses this problem.
To be able to use filters when data is encrypted, we have to allow some patterns in our data. Deterministic encryption uses a static
initialization vector (IV) so that encrypted data can be matched to a particular field value. The system can’t read a piece of data that’s
encrypted, but it does know how to retrieve the ciphertext that stands for that piece of data. The IV is still unique for a given field in a
given org and can only be decrypted with your org-specific encryption key.
We evaluate the relative strengths and weaknesses of cryptographic approaches based on the types of attacks that can be launched
against a particular algorithm. We also consider the length of time that it could take for the attack to succeed. For example, it is commonly
said that a brute-force attack against an AES 256-bit key would take a billion billion years given current computing capabilities. Nevertheless,
it is common practice to rotate keys regularly.
Certain kinds of attacks become a bit less far-fetched when you get away from purely random ciphertext. For example, an attacker could
conceivably analyze deterministically encrypted ciphertext and determine that the cleartext string Alice always resolves to the
ciphertext YjNkY2JlNjU5M2JkNjk4MGJiNWE2NGQ5NzI5MzU1OTcNCg==. Given enough time to eavesdrop, an attacker
could defeat encryption by building a dictionary of cleartext values to ciphertext values.
The Salesforce Shield approach is to expose just enough determinism to enable bona fide users to filter on encrypted data while limiting
it enough to ensure that a given plaintext value does not universally result in the same ciphertext value across all fields, objects, or orgs.
Even if an attacker successfully matched cleartext to encrypted values for one field, the attacker would have to do it all over again for
any other field, and again for the same field in another object.
In this way, deterministic encryption only decreases encryption strength as minimally necessary to allow filtering.
Encrypt Data Using the Deterministic Encryption Scheme
You apply deterministic encryption to a field by choosing this encryption scheme.
USER PERMISSIONS
1. From Setup, in the Quick Find box, enter Platform Encryption, and then select Key
Management. To manage tenant secrets
• Manage Encryption Keys
2. From the Choose Tenant Secret Type menu, select Data in Salesforce.
To enable preferences on
3. Generate or upload a tenant secret. the Advanced Settings page
4. From Setup, in the Quick Find box, enter Platform Encryption, and then select • Modify All Data
Advanced Settings.
5. Enable Deterministic Encryption.
6. From Setup, select Key Management.
7. Select the Data in Salesforce (Deterministic) secret type.
8. Generate a tenant secret.
You can mix and match probabilistic and deterministic encryption, encrypting some fields one way and some fields the other.
Note: To generate a tenant secret, you must have the Manage Encryption Keys permission.
15
Strengthen Your Data's Security with Shield Platform Encrypt Data Using the Deterministic Encryption Scheme
Encryption
9. Enable encryption for each field, specifying the deterministic encryption scheme. How you do that depends on whether it’s a standard
field or a custom field.
• For standard fields, from Setup, select Encryption Policy, and then select Encrypt Fields. For each field you want to encrypt,
select the field name, and then choose Deterministic from the Encryption Scheme list.
• For custom fields, open the Object Manager and edit the field you want to encrypt. Select Encrypt the contents of this field,
and select Use case sensitive deterministic encryption.
16
Strengthen Your Data's Security with Shield Platform Manage Shield Platform Encryption
Encryption
10. Contact Salesforce Support to encrypt your existing data, or to re-encrypt data you previously encrypted with probabilistic encryption.
Manage Shield Platform Encryption
To provide Shield Platform Encryption for your organization, contact your Salesforce account
EDITIONS
executive. They’ll help you provision the correct license so you can get started on creating your
own unique tenant secret. Available as an add-on
Assign the Manage Encryption Keys, Manage Certificates, and Customize Application permissions subscription in: Enterprise,
to people you trust to manage tenant secrets and certificates. Users with the Manage Encryption Performance, and
Keys permission can generate, export, import, and destroy organization-specific keys. It's a good Unlimited Editions. Requires
idea to monitor the key management activities of these users regularly with the setup audit trail. purchasing Salesforce
Shield. Available in
Users with both Manage Certificates and Manage Encryption Keys permissions can manage Developer Edition at no
certificates and tenant secrets with the Shield Platform Encryption Bring Your Own Key (BYOK) charge for orgs created in
service. You can also monitor these users’ key and certificate management activities with the setup Summer ’15 and later.
audit trail.
Available in both Salesforce
Authorized developers can generate, rotate, export, destroy, and reimport tenant secrets by coding Classic and Lightning
a call to the TenantSecret object in the Salesforce API. Experience.
USER PERMISSIONS
To manage tenant secrets:
• Manage Encryption Keys
17
Strengthen Your Data's Security with Shield Platform Generate a Tenant Secret
Encryption
IN THIS SECTION:
Generate a Tenant Secret
You can have Salesforce generate a unique tenant secret for your organization, or you can generate your own tenant secret using
your own external resources. In either case, you manage your own tenant secret: you can rotate it, archive it, and designate other
users to share responsibility for it.
Rotate Your Encryption Tenant Secrets
You control the life cycle of your data encryption keys by controlling the life cycle of your tenant secrets. It’s recommended to
regularly generate a new tenant secret and archive the previously active one.
Back Up Your Tenant Secret
Your tenant secret is unique to your organization and to the specific data to which it applies. Salesforce recommends that you export
your secret to ensure continued data access in cases where you need to gain access to the related data again.
Destroy A Tenant Secret
Only destroy tenant secrets in extreme cases where access to related data is no longer needed. Your tenant secret is unique to your
organization and to the specific data to which it applies. Once you destroy a tenant secret, related data is not accessible unless you
previously exported the key and then import the key back into Salesforce.
Disable Encryption on Fields
At some point, you may need to disable Shield Platform Encryption for fields, files, or both. You can turn field encryption on or off
individually, but file encryption is all or nothing.
SEE ALSO:
Which User Permissions Does Shield Platform Encryption Require?
The TenantSecret Object
Generate a Tenant Secret
You can have Salesforce generate a unique tenant secret for your organization, or you can generate
EDITIONS
your own tenant secret using your own external resources. In either case, you manage your own
tenant secret: you can rotate it, archive it, and designate other users to share responsibility for it. Available as an add-on
When you generate a new tenant secret, any new data is encrypted using this key. However, existing subscription in: Enterprise,
sensitive data remains encrypted using previous keys. In this situation, we strongly recommend Performance, and
re-encrypting these fields using the latest key. Contact Salesforce for help with this. Unlimited Editions. Requires
purchasing Salesforce
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the Shield. Available in
difference? Developer Edition at no
charge for orgs created in
Summer ’15 and later.
IN THIS SECTION:
Generate a Tenant Secret with Salesforce Available in both Salesforce
Classic and Lightning
Salesforce makes it easy to generate a unique tenant secret from the Setup menu.
Experience.
Manage Tenant Secrets by Type
Tenant secret types allow you to specify which kind of data you want to encrypt with a tenant
secret. You can apply different key rotation cycles or key destruction policies to tenant secrets
USER PERMISSIONS
that encrypt different kinds of data. You can apply a tenant secret to search index files or other To manage tenant secrets:
data stored in tenant secret. • Manage Encryption Keys
18
Strengthen Your Data's Security with Shield Platform Generate a Tenant Secret
Encryption
Generate Your Own Tenant Secret (BYOK)
When you supply your own tenant secret, you get the benefits of built-in Salesforce Shield Platform Encryption plus the extra
assurance that comes from exclusively managing your tenant secret.
SEE ALSO:
Permission Sets
Profiles
Generate a Tenant Secret with Salesforce
Salesforce makes it easy to generate a unique tenant secret from the Setup menu.
EDITIONS
Only authorized users can generate tenant secrets from the Platform Encryption page. Ask your
Salesforce admin to assign you the Manage Encryption Keys permission. Available as an add-on
subscription in: Enterprise,
1. From Setup, in the Quick Find box, enter Platform Encryption, and then select Key
Performance, and
Management.
Unlimited Editions. Requires
2. In the Choose Tenant Secret Type dropdown list, choose a data type. purchasing Salesforce
3. Click Generate Tenant Secret. Shield. Available in
Developer Edition at no
How often you can generate a tenant secret depends on the tenant secret type. charge for orgs created in
• You can generate tenant secrets for the Data in Salesforce type once every 24 hours in Summer ’15 and later.
production orgs, and once every 4 hours in Sandbox orgs.
Available in both Salesforce
• You can generate tenant secrets for the Search Index type once every 7 days. Classic and Lightning
Experience.
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the
difference?
USER PERMISSIONS
To manage tenant secrets:
• Manage Encryption Keys
19
Strengthen Your Data's Security with Shield Platform Generate a Tenant Secret
Encryption
Manage Tenant Secrets by Type
Tenant secret types allow you to specify which kind of data you want to encrypt with a tenant
EDITIONS
secret. You can apply different key rotation cycles or key destruction policies to tenant secrets that
encrypt different kinds of data. You can apply a tenant secret to search index files or other data Available as an add-on
stored in tenant secret. subscription in: Enterprise,
Tenant secrets are categorized according to the kind of data they encrypt. Performance, and
Unlimited editions. Requires
• Data in Salesforce, which includes fields, attachments, and files other than search index files
purchasing Salesforce
• Search index files Shield. Available in
Developer Edition at no
Note: Tenant secrets that were generated or uploaded before the Spring ’17 release are
charge for orgs created in
categorized as the Data in Salesforce type.
Summer ’15 and later.
1. From Setup, in the Quick Find box, enter Platform Encryption, and then select Key
Available in both Salesforce
Management.
Classic and Lightning
2. In the Choose Tenant Secret Type dropdown list, choose a data type. Experience.
The Key Management page displays all tenant secrets of each data type. If you generate or
upload a tenant secret while viewing tenant secrets of a particular type, it becomes the active USER PERMISSIONS
tenant secret for that data.
To manage tenant secrets:
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the • Manage Certificates
difference? AND
Manage Encryption Keys
Generate Your Own Tenant Secret (BYOK)
When you supply your own tenant secret, you get the benefits of built-in Salesforce Shield Platform
EDITIONS
Encryption plus the extra assurance that comes from exclusively managing your tenant secret.
Controlling your own tenant secret entails generating a BYOK-compatible certificate, using that Available as an add-on
certificate to encrypt and secure your self-generated tenant secret, then granting the Salesforce subscription in: Enterprise,
Shield Platform Encryption key management machinery access to your tenant secret. Performance, and
Unlimited Editions. Requires
purchasing Salesforce
IN THIS SECTION: Shield. Available in
1. Generate a BYOK-Compatible Certificate Developer Edition at no
Use Salesforce to generate a certificate to encrypt the tenant secret that we’ll use to derive your charge for orgs created in
org-specific data encryption key. You can generate a self-signed or certificate-authority (CA) Summer ’15 and later.
signed certificate. Available in both Salesforce
2. Generate and Wrap Your Tenant Secret Classic and Lightning
Generate a random number as your tenant secret. Then calculate an SHA256 hash of the secret, Experience.
and encrypt it with the public key from the certificate you generated.
3. Upload Your Tenant Secret USER PERMISSIONS
Once you have your tenant secret, upload it to Salesforce. The Shield Key Management Service
To manage tenant secrets:
(KMS) uses your tenant secret to derive your org-specific data encryption key.
• Manage Encryption Keys
AND
Manage Certificates
20
Strengthen Your Data's Security with Shield Platform Generate a Tenant Secret
Encryption
4. Opt-Out of Key Derivation with BYOK (Beta)
If you don’t want Salesforce to derive a data encryption key for you, you can opt-out of key derivation and upload your own final
data encryption key. This puts you in even more control of the key material used to encrypt and decrypt your data. Contact Salesforce
to enable this feature.
Generate a BYOK-Compatible Certificate
Use Salesforce to generate a certificate to encrypt the tenant secret that we’ll use to derive your
EDITIONS
org-specific data encryption key. You can generate a self-signed or certificate-authority (CA) signed
certificate. Available as an add-on
To create a self-signed certificate: subscription in: Enterprise,
Performance, and
1. From Setup, in the Quick Find box, enter Platform Encryption, and then select Key
Unlimited Editions. Requires
Management.
purchasing Salesforce
2. Click Upload Tenant Secret. Shield. Available in
Developer Edition at no
3. Click Create Self-Signed Certificate.
charge for orgs created in
4. Enter a unique name for your certificate in the Label field. The Unique Name field to automatically Summer ’15 and later.
assign a name based on what you entered in the Label field.
Available in both Salesforce
The Exportable Private Key (1), Use Platform Encryption (2), and Key Size (3) settings are Classic and Lightning
pre-set. These settings ensure that your self-signed certificate is compatible with Salesforce Experience.
Shield Platform Encryption.
USER PERMISSIONS
To manage tenant secrets:
• Manage Encryption Keys
AND
Manage Certificates
5. When the Certificate and Key Detail page appears, click Download Certificate.
If you’re not sure whether a self-signed or CA-signed certificate is right for you, consult your organization’s security policy. See
Certificates and Keys in Salesforce Help for more about what each option implies.
To create a CA-signed certificate, follow the instructions in the Generate a Certificate Signed By a Certificate Authority topic in
Salesforce Help. Remember to manually change the Exportable Private Key, Key Size, and Platform Encryption settings to
ensure that your certificate is BYOK-compatible.
21
Strengthen Your Data's Security with Shield Platform Generate a Tenant Secret
Encryption
Generate and Wrap Your Tenant Secret
Generate a random number as your tenant secret. Then calculate an SHA256 hash of the secret,
EDITIONS
and encrypt it with the public key from the certificate you generated.
1. Generate a 256-bit tenant secret using the method of your choice. Available as an add-on
You can generate your tenant secret in one of 2 ways: subscription in: Enterprise,
Performance, and
• Use your own on-premises resources to generate a tenant secret programmatically, using Unlimited Editions. Requires
an open source library such as Bouncy Castle or OpenSSL. purchasing Salesforce
Shield. Available in
Tip: We've provided a script on page 30 that may be useful as a guide to the process.
Developer Edition at no
charge for orgs created in
• Use a key brokering partner that can generate, secure, and share access to your tenant
Summer ’15 and later.
secret.
Available in both Salesforce
2. Wrap your tenant secret with the public key from the BYOK-compatible certificate you generated. Classic and Lightning
Specify the OAEP padding scheme. Make sure the resulting encrypted tenant secret and hashed Experience.
tenant secret files are encoded using base64.
3. Encode this encrypted tenant secret to base64. USER PERMISSIONS
4. Calculate an SHA-256 hash of the plaintext tenant secret. To manage tenant secrets:
5. Encode the SHA-256 hash of the plaintext tenant secret to base64. • Manage Encryption Keys
AND
Manage Certificates
Upload Your Tenant Secret
Once you have your tenant secret, upload it to Salesforce. The Shield Key Management Service
EDITIONS
(KMS) uses your tenant secret to derive your org-specific data encryption key.
1. From Setup, in the Quick Find box, enter Platform Encryption, and then select Key Available as an add-on
Management. subscription in: Enterprise,
Performance, and
2. Click Upload Tenant Secret.
Unlimited Editions. Requires
3. In the Upload Tenant Secret section, attach both the encrypted tenant secret and the hashed purchasing Salesforce
plaintext tenant secret. Click Upload. Shield. Available in
Developer Edition at no
charge for orgs created in
Summer ’15 and later.
Available in both Salesforce
Classic and Lightning
Experience.
USER PERMISSIONS
To manage tenant
secrettenant secrets:
This tenant secret automatically becomes the active tenant secret. • Manage Encryption Keys
Note: The tenant secret whose certificate has the latest expiration date automatically AND
becomes the active tenant secret. Manage Certificates
22
Strengthen Your Data's Security with Shield Platform Generate a Tenant Secret
Encryption
Your tenant secret is now ready to be used for key derivation. From here on, the Shield Key Management Service (KMS) uses your
tenant secret to derive an org-specific data encryption key. The app server then uses this key to encrypt and decrypt your users’ data.
4. Export your tenant secret and back it up as prescribed in your organization’s security policy.
To restore your tenant secret, reimport it. The exported tenant secret is different from the tenant secret you uploaded. It is encrypted
with a different key and has additional metadata embedded in it. See Back Up Your Tenant Secret in Salesforce Help.
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
Opt-Out of Key Derivation with BYOK (Beta)
If you don’t want Salesforce to derive a data encryption key for you, you can opt-out of key derivation
EDITIONS
and upload your own final data encryption key. This puts you in even more control of the key
material used to encrypt and decrypt your data. Contact Salesforce to enable this feature. Available as an add-on
Note: This release contains a beta version of Opt Out of Key Derivation, which means it’s a subscription in: Enterprise,
Performance, and
high-quality feature with known limitations. Opt Out of Key Derivation isn’t generally available
Unlimited Editions. Requires
unless or until Salesforce announces its general availability in documentation or in press
purchasing Salesforce
releases or public statements. We can’t guarantee general availability within any particular
Shield. Available in
time frame or at all. Make your purchase decisions only based on generally available products
Developer Edition at no
and features. charge for orgs created in
Generate your customer-supplied data encryption key using a method of your choice. Then calculate Summer ’15 and later.
an SHA256 hash of the key, and encrypt it with the public key from a BYOK-compatible certificate.
Available in both Salesforce
See Upload Your Tenant Secret for details about how to prepare customer-supplied key material.
Classic and Lightning
1. From Setup, in the Quick Find box, enter Platform Encryption, and then select Experience.
Advanced Settings.
2. Enable Allow BYOK to Opt-Out of Key Derivation. USER PERMISSIONS
You now have the ability to opt-out of key derivation when you upload key material.
To edit Platform Encryption
3. From Setup, in the Quick Find box, enter Platform Encryption, and then select Key
Advanced Settings page
Management.
• Modify All Data
4. Click Upload Tenant Secret. To manage key material
5. Uncheck Use Salesforce key derivation. • Manage Encryption Keys
6. In the Upload Tenant Secret section, attach both your encrypted data encryption key and your hashed plaintext data encryption
key.
23
Strengthen Your Data's Security with Shield Platform Rotate Your Encryption Tenant Secrets
Encryption
7. Click Upload.
This data encryption key automatically becomes the active key.
From here on, the Shield Key Management Service (KMS) skips the derivation process and uses your data encryption key to directly
encrypt and decrypt your data. You can review the derivation status of all key material on the Key Management page.
8. Export your data encryption key and back it up as prescribed in your organization’s security policy.
To restore your data encryption key, reimport it. The exported data encryption key is different from the data encryption key you
uploaded. It is encrypted with a different key and has additional metadata embedded in it. See Back Up Your Tenant Secret in
Salesforce Help.
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
Rotate Your Encryption Tenant Secrets
You control the life cycle of your data encryption keys by controlling the life cycle of your tenant
EDITIONS
secrets. It’s recommended to regularly generate a new tenant secret and archive the previously
active one. Available as an add-on
Consult your organization’s security policies to decide how often to rotate your tenant secrets. You subscription in: Enterprise,
can rotate a tenant secret once every 24 hours in production orgs and every 4 hours in sandbox Performance, and
environments. Unlimited Editions. Requires
purchasing Salesforce
The key derivation function uses a master secret, which is rotated with each major Salesforce release. Shield. Available in
Master secret rotation doesn’t impact your encryption keys or your encrypted data until you rotate Developer Edition at no
your tenant secret. charge for orgs created in
1. From Setup, in the Quick Find box, enter Platform Encryption, and then select Key Summer ’15 and later.
Management.
Available in both Salesforce
2. From the Choose Tenant Secret Type dropdown, choose a data type. Classic and Lightning
Experience.
3. Check the status of the data type’s tenant secrets. Existing tenant secrets are listed as active,
archived, or destroyed.
ACTIVE USER PERMISSIONS
Can be used to encrypt and decrypt new or existing data.
To manage tenant secrets:
ARCHIVED • Manage Encryption Keys
Can’t encrypt new data. Can be used to decrypt data previously encrypted with this key
when it was active.
DESTROYED
Can’t encrypt or decrypt data. Data encrypted with this key when it was active can no longer be decrypted. Files and attachments
encrypted with this key can no longer be downloaded.
24
Strengthen Your Data's Security with Shield Platform Back Up Your Tenant Secret
Encryption
4. Click Generate New Tenant Secret or Upload Tenant Secret. If uploading a customer-supplied tenant secret, upload your
encrypted tenant secret and tenant secret hash.
5. If you want to re-encrypt field values with a newly generated tenant secret, contact Salesforce support.
To update your data, export the objects via the API or run a report that includes the record ID. These actions trigger the encryption
service to encrypt the existing data again using the newest key.
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
Back Up Your Tenant Secret
Your tenant secret is unique to your organization and to the specific data to which it applies.
EDITIONS
Salesforce recommends that you export your secret to ensure continued data access in cases where
you need to gain access to the related data again. Available as an add-on
1. In Setup, use the Quick Find box to find the Platform Encryption setup page. subscription in: Enterprise,
Performance, and
2. In the table that lists your keys, find the tenant secret you want and click Export.
Unlimited Editions. Requires
3. Confirm your choice in the warning box, then save your exported file. purchasing Salesforce
The file name is tenant-secret-org-<organization ID>-ver-<tenant Shield. Available in
secret version numer>.txt. For example, Developer Edition at no
tenant-secret-org-00DD00000007eTR-ver-1.txt. charge for orgs created in
Summer ’15 and later.
4. Note the specific version you’re exporting, and give the exported file a meaningful name. Store
Available in both Salesforce
the file in a safe location in case you need to import it back into your organization.
Classic and Lightning
Note: Your exported tenant secret is itself encrypted. Experience.
5. To import your tenant secret again, click Import > Choose File and select your file. Make sure USER PERMISSIONS
you’re importing the correct version of the tenant secret.
To manage tenant secrets:
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the • Manage Encryption Keys
difference?
25
Strengthen Your Data's Security with Shield Platform Destroy A Tenant Secret
Encryption
Destroy A Tenant Secret
Only destroy tenant secrets in extreme cases where access to related data is no longer needed.
EDITIONS
Your tenant secret is unique to your organization and to the specific data to which it applies. Once
you destroy a tenant secret, related data is not accessible unless you previously exported the key Available as an add-on
and then import the key back into Salesforce. subscription in: Enterprise,
You are solely responsible for making sure your data and tenant secrets are backed up and stored Performance, and
in a safe place. Salesforce can’t help you with deleted, destroyed, or misplaced tenant secrets. Unlimited Editions. Requires
purchasing Salesforce
1. In Setup, use the Quick Find box to find the Platform Encryption setup page. Shield. Available in
2. In the table that lists your tenant secrets, go to the row that contains the one you want to Developer Edition at no
destroy and click Destroy. charge for orgs created in
Summer ’15 and later.
3. A warning box appears. Type in the text as shown and select the checkbox acknowledging that
you’re destroying a tenant secret, then click Destroy. Available in both Salesforce
File previews and content that was already cached in the user’s browser may still be visible in Classic and Lightning
Experience.
cleartext after you destroy the key that encrypted that content, until the user logs in again.
If you create a sandbox organization from your production organization and then destroy the tenant
secret in your sandbox organization, the tenant secret still exists in the production organization. USER PERMISSIONS
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the To manage tenant secrets:
difference? • Manage Encryption Keys
Disable Encryption on Fields
At some point, you may need to disable Shield Platform Encryption for fields, files, or both. You can
EDITIONS
turn field encryption on or off individually, but file encryption is all or nothing.
When you turn off Shield Platform Encryption for a field, most encrypted data is automatically Available as an add-on
mass-decrypted. The decryption starts automatically after you disable encryption for specific fields subscription in: Enterprise,
and save your changes. When data is decrypted, any functionality that was limited or unavailable Performance, and
when the data was encrypted is also restored. Salesforce notifies you by email when the decryption Unlimited Editions. Requires
process is complete. purchasing Salesforce
Shield. Available in
Long text area and rich text area field types can’t be automatically decrypted. If you decrypt data Developer Edition at no
encrypted with a destroyed key, that data can’t be mass-decrypted. charge for orgs created in
Note: If you disable Shield Platform Encryption and can’t access data in fields that were Summer ’15 and later.
previously encrypted, contact Salesforce for help. Available in both Salesforce
1. From Setup, in the Quick Find box, enter Platform Encryption, and then select Classic and Lightning
Encryption Policy. Experience.
2. Click Encrypt Fields, then click Edit.
USER PERMISSIONS
3. Deselect the fields you want to stop encrypting, then click Save.
Users can see data in these fields. To view setup:
4. To disable encryption for files or Chatter, deselect those features from the Encryption Policy • View Setup and
page and click Save. Configuration
To disable encryption:
The functionality that was limited or changed by Platform Encryption is restored for your data after
• Customize Application
it’s decrypted.
26
Strengthen Your Data's Security with Shield Platform How Shield Platform Encryption Works
Encryption
How Shield Platform Encryption Works
Shield Platform Encryption relies on a unique tenant secret that you control and a master secret
EDITIONS
that's maintained by Salesforce. We combine these secrets to create your unique data encryption
key. We use that key to encrypt data that your users put into Salesforce, and to decrypt data when Available as an add-on
your authorized users need it. subscription in: Enterprise,
Encrypting files, fields, and attachments has no effect on your organization’s storage limits. Performance, and
Unlimited Editions. Requires
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the purchasing Salesforce
difference? Shield. Available in
Developer Edition at no
IN THIS SECTION: charge for orgs created in
Summer ’15 and later.
Can I Bring My Own Encryption Key?
Yes. You can generate and store your customer-supplied key material outside of Salesforce Available in both Salesforce
Classic and Lightning
using your own crypto libraries, enterprise key management system, or hardware security
Experience.
module (HSM). You then grant the Salesforce Shield Platform Encryption key management
machinery access to those keys. You can choose to encrypt your keys with a public key from a
self-signed or CA-signed certificate.
Which Standard Fields and Data Elements Can I Encrypt?
You can encrypt certain fields on standard and custom objects, data in Chatter, and search index files. With some exceptions,
encrypted fields work normally throughout the Salesforce user interface, business processes, and APIs.
Which Custom Fields Can I Encrypt?
You can encrypt the contents of fields that belong to one these custom field types, on either standard or custom objects.
Which Files Are Encrypted?
When you enable Shield Platform Encryption for files and attachments, all files and attachments that can be encrypted are encrypted.
The body of each file or attachment is encrypted when it’s uploaded.
Which User Permissions Does Shield Platform Encryption Require?
Assign permissions to your users according to their roles regarding encryption and key management. Some users need permission
to select data for encryption, while other users require combinations of permissions to work with certificates or tenant secrets. You
can enable these permissions for user profiles just like you would any other user permission.
Why Isn’t My Encrypted Data Masked?
If the encryption service isn’t available, data is masked in some types of encrypted fields. This is to help you troubleshoot encryption
key issues, not to control user access to data. If you have data that you don’t want some users to see, revisit those users’ field-level
security settings, record access settings, and object permissions.
Behind the Scenes: The Shield Platform Encryption Process
When users submit data, the application server looks for the org-specific data encryption key in its cache. If it isn’t there, the application
server gets the encrypted tenant secret from the database and asks the key derivation server to derive the key. The encryption service
then encrypts the data on the application server.
Behind the Scenes: The Search Index Encryption Process
The Salesforce search engine is built on the open-source enterprise search platform software Apache Solr. The search index, which
stores tokens of record data with links back to the original records stored in the database, is housed within Solr. Partitions divide the
search index into segments to allow Salesforce to scale operations. Apache Lucene is used for its core library.
27
Strengthen Your Data's Security with Shield Platform Can I Bring My Own Encryption Key?
Encryption
How Do I Deploy Shield Platform Encryption?
When you deploy Shield Platform Encryption to your org with a tool such as Force.com IDE, Migration Tool, or Workbench, the
Encrypted field attribute persists. However, if you deploy to orgs with different encryption settings, the effect depends on whether
Shield Platform Encryption is enabled in the target org.
How Does Shield Platform Encryption Work In a Sandbox?
Refreshing a sandbox from a production organization creates an exact copy of the production organization. If Shield Platform
Encryption is enabled on the production organization, all encryption settings are copied, including tenant secrets created in production.
Shield Platform Encryption Terminology
Encryption has its own specialized vocabulary. To get the most out of your Shield Platform Encryption features, it’s a good idea to
familiarize yourself with the key terms, such as hardware security module, key rotation, and master secret.
What’s the Difference Between Classic Encryption and Shield Platform Encryption?
With Shield Platform Encryption, you can encrypt a variety of widely used standard fields, along with some custom fields and many
kinds of files. Shield Platform Encryption also supports person accounts, cases, search, approval processes, and other key Salesforce
features. Classic encryption lets you protect only a special type of custom text field, which you create for that purpose.
Can I Bring My Own Encryption Key?
Yes. You can generate and store your customer-supplied key material outside of Salesforce using
EDITIONS
your own crypto libraries, enterprise key management system, or hardware security module (HSM).
You then grant the Salesforce Shield Platform Encryption key management machinery access to Available as an add-on
those keys. You can choose to encrypt your keys with a public key from a self-signed or CA-signed subscription in: Enterprise,
certificate. Performance, and
To work with our key management machinery, your customer-supplied key material needs to meet Unlimited Editions. Requires
these specifications: purchasing Salesforce
Shield. Available in
• 256-bit size Developer Edition at no
• Encrypted with a public RSA key that is extracted from the downloaded BYOK certificate, then charge for orgs created in
padded using OAEP padding Summer ’15 and later.
• Once it’s encrypted, it must be encoded in standard base64 Available in both Salesforce
To work with encryption keys, you'll need the Manage Encryption Keys permission. To generate Classic and Lightning
BYOK-compatible certificates, you’ll need the Customize Application permission. Experience.
IN THIS SECTION:
Why Bring Your Own Key?
Bring Your Own Key (BYOK) gives you an extra layer of protection in the event of unauthorized access to critical data. It may also
help you meet the regulatory requirements that come with handling financial data, such as credit card numbers; health data, such
as patient care records or insurance information; or other kinds of private data, such as social security numbers, addresses, and phone
numbers. Once you’ve set up your key material, you can use Shield Platform Encryption as you normally would to encrypt data at
rest in your Salesforce org.
Take Good Care of Your Keys
When you create and store your own key material outside of Salesforce, it’s important that you safeguard that key material. Make
sure that you have a trustworthy place to archive your key material; never save a tenant secret or data encryption key on a hard drive
without a backup.
28
Strengthen Your Data's Security with Shield Platform Can I Bring My Own Encryption Key?
Encryption
Sample Script for Generating a BYOK Tenant Secret
We’ve provided a helper script that may be handy for preparing your tenant secret for installation. It generates a random number
as your tenant secret, calculates a SHA256 hash of the secret, and uses the public key from the certificate to encrypt the secret.
Troubleshooting Bring Your Own Key
One or more of these frequently asked questions may help you troubleshoot any problems that arise.
Why Bring Your Own Key?
Bring Your Own Key (BYOK) gives you an extra layer of protection in the event of unauthorized
EDITIONS
access to critical data. It may also help you meet the regulatory requirements that come with
handling financial data, such as credit card numbers; health data, such as patient care records or Available as an add-on
insurance information; or other kinds of private data, such as social security numbers, addresses, subscription in: Enterprise,
and phone numbers. Once you’ve set up your key material, you can use Shield Platform Encryption Performance, and
as you normally would to encrypt data at rest in your Salesforce org. Unlimited Editions. Requires
Shield Platform Encryption enables Salesforce administrators to manage the lifecycle of their data purchasing Salesforce
encryption keys while protecting these keys from unauthorized access. By controlling the lifecycle Shield. Available in
of your organization’s tenant secrets, you control the lifecycle of the data encryption keys derived Developer Edition at no
charge for orgs created in
from them.
Summer ’15 and later.
Salesforce-generated data encryption keys aren’t stored in Salesforce. Instead, they’re derived on
demand whenever a key is needed to encrypt or decrypt customer data, using a master secret and Available in both Salesforce
a tenant secret. The master secret is generated once per release for everyone by a hardware security Classic and Lightning
module (HSM). The tenant secret is unique to your org, and you control when it is generated, Experience.
activated, and retired.
You can generate your tenant secrets in two ways:
• Use the Shield Key Management Service (KMS) to have your org-specific tenant secret generated for you.
• Use the infrastructure of your choice, such as an on-premises HSM, to generate and manage your tenant secret. This option is
popularly known as “Bring Your Own Key,” although the element you’re really bringing is the tenant secret from which the key is
derived.
Note: The Key Derivation Opt-Out (Beta) feature lets you bypass the Shield KMS’s key derivation process. Use the infrastructure
of your choice to create a data encryption key instead of a tenant secret. Then upload this data encryption key to Salesforce.
We use this key material as your final data encryption key for data encryption and decryption. You can rotate customer-supplied
data encryption keys just like you would rotate a customer-supplied tenant secret. Contact Salesforce to enable this feature.
29
Strengthen Your Data's Security with Shield Platform Can I Bring My Own Encryption Key?
Encryption
Take Good Care of Your Keys
When you create and store your own key material outside of Salesforce, it’s important that you
EDITIONS
safeguard that key material. Make sure that you have a trustworthy place to archive your key material;
never save a tenant secret or data encryption key on a hard drive without a backup. Available as an add-on
Back up all imported key material after you upload them to Salesforce. This ensures that you have subscription in: Enterprise,
copies of your active key material. See Back Up Your Tenant Secret in Salesforce Help. Performance, and
Unlimited Editions. Requires
Review your company policy on key rotation. You can rotate and update your keys on your own
purchasing Salesforce
schedule. See Rotate Your Encryption Keys. Shield. Available in
Important: If you accidentally destroy a tenant secret that isn't backed up, Salesforce won’t Developer Edition at no
be able to help you retrieve it. charge for orgs created in
Summer ’15 and later.
Available in both Salesforce
Classic and Lightning
Experience.
Sample Script for Generating a BYOK Tenant Secret
We’ve provided a helper script that may be handy for preparing your tenant secret for installation.
EDITIONS
It generates a random number as your tenant secret, calculates a SHA256 hash of the secret, and
uses the public key from the certificate to encrypt the secret. Available as an add-on
1. Download the script from the Salesforce Knowledge Base. Save it in the same directory as the subscription in: Enterprise,
certificate. Performance, and
Unlimited Editions. Requires
2. Run the script specifying the certificate name, like this: ./secretgen.sh
purchasing Salesforce
my_certificate.crt
Shield. Available in
Replace this certificate name with the actual filename of the certificate you downloaded. Developer Edition at no
charge for orgs created in
Tip: If needed, use chmod +w secretgen.sh to make sure you have write
Summer ’15 and later.
permission to the file and use chmod 775 to make it executable.
Available in both Salesforce
3. The script generates a number of files. Look for the two files that end with the .b64 suffix. Classic and Lightning
The files ending in .b64 are your base 64-encoded encrypted tenant secret and base 64-encoded Experience.
hash of the plaintext tenant secret. You’ll need both of these files for the next step.
30
Strengthen Your Data's Security with Shield Platform Can I Bring My Own Encryption Key?
Encryption
Troubleshooting Bring Your Own Key
One or more of these frequently asked questions may help you troubleshoot any problems that
EDITIONS
arise.
I’m trying to use the script you provide, but it won’t run. Available as an add-on
Make sure that you are running the right script for your operating system. If you are working subscription in: Enterprise,
on a Windows machine, you can install a Linux emulator and use the Linux script. These issues Performance, and
can also prevent the script from running: Unlimited Editions. Requires
purchasing Salesforce
• You don’t have write permission in the folder you’re trying to run the script from. Try running Shield. Available in
the script from a folder that you have write permission for. Developer Edition at no
• The certificate that the script references is missing. Make sure you’ve properly generated charge for orgs created in
the certificate. Summer ’15 and later.
• The certificate is missing or is not being referenced by the correct name. Make sure you’ve Available in both Salesforce
entered the correct file name for your certificate in the script. Classic and Lightning
I want to use the script you provide, but I also want to use my own random number Experience.
generator.
The script we provide uses a random number generator to create a random value that is then
used as your tenant secret. If you would like to use a different generator, replace head -c 32 /dev/urandom | tr '\n'
= (or, in the Mac version, head -c 32 /dev/urandom > $PLAINTEXT_SECRET) with a command that generates a
random number using your preferred generator.
What if I want to use my own hashing process to hash my tenant secret?
No problem. Just make sure that the end result meets these requirements:
• Uses an SHA-256 algorithm.
• Results in a base64 encoded hashed tenant secret.
• Generates the hash of the random number BEFORE encrypting it.
If any of these three criteria aren’t met, you won’t be able to upload your tenant secret.
How should I encrypt my tenant secret before I upload it to Salesforce?
If you’re using the script provided, the encryption process is taken care of. If you do not use the script, specify the OAEP padding
scheme when you encrypt your tenant secret. Make sure the resulting encrypted tenant secret and hashed tenant secret files are
encoded using base64. If either of these criteria are not met, you won’t be able to upload your tenant secret.
If you choose to not use the script provided, follow the instructions in the Generate And Wrap Your Tenant Secret Help topic.
I can’t upload my Encrypted tenant secret and Hashed tenant secret.
A handful of errors can prevent your files from uploading. Use the chart to make that sure your tenant secrets and certificates are in
order.
Possible cause Solution
Your files were generated with an Check the date on your certificate. If it has expired, you can renew your certificate or use another
expired certificate. one.
Your certificate is not active, or is Ensure that your certificate settings are compatible with the Bring Your Own Key feature. Under
not a valid Bring Your Own Key the Certificate and Key Edit section of the Certificates page, select a 4096-bit certificate size,
certificate. disable Exportable Private Key, and enable Platform Encryption.
You haven’t attached both the Make sure that you attach both the encrypted tenant secret and hashed tenant secret. Both of
encrypted tenant secret and the these files should have a .b64 suffix.
hashed tenant secret.
31
Strengthen Your Data's Security with Shield Platform Which Standard Fields and Data Elements Can I Encrypt?
Encryption
Possible cause Solution
Your tenant secret or hashed Several problems can cause this error. Usually, the tenant secret or hashed tenant secret wasn't
tenant secret wasn’t generated generated using the correct SSL parameters. If you are using OpenSSL, you can refer to the script
properly. for an example of the correct parameters you should use to generate and hash your tenant
secret. If you are using a library other than OpenSSL, check that library's support page for help
finding the correct parameters to both generate and hash your tenant secret.
Still stuck? Contact your Salesforce account executive. They'll put you in touch with someone
at Salesforce who can help.
I’m still having problems with my key. Who should I talk to?
If you still have questions, contact your account executive. They’ll put you in touch with a support team specific to this feature.
Which Standard Fields and Data Elements Can I Encrypt?
You can encrypt certain fields on standard and custom objects, data in Chatter, and search index
EDITIONS
files. With some exceptions, encrypted fields work normally throughout the Salesforce user interface,
business processes, and APIs. Available as an add-on
When you encrypt a field, existing values aren't encrypted immediately. Values are encrypted only subscription in: Enterprise,
after they are touched. Contact Salesforce for help encrypting existing data. Performance, and
Unlimited Editions. Requires
purchasing Salesforce
Encrypted Standard Fields Shield. Available in
Developer Edition at no
You can encrypt the contents of these standard field types.
charge for orgs created in
Accounts Summer ’15 and later.
• Account Name Available in both Salesforce
• Billing Address (encrypts Billing Street and Billing City) Classic and Lightning
• Shipping Address (encrypts Shipping Street and Shipping City) Experience.
• Phone
• Fax
• Website
• Description
• Account Site
Note: If your org has enabled Person Accounts, certain account and contact fields are combined into one record. In that case,
you can enable encryption for a different set of Account fields.
Accounts (if Person Accounts enabled for your org)
• Account Name
• Billing Address (encrypts Billing Street and Billing City)
• Shipping Address (encrypts Shipping Street and Shipping City)
• Phone
• Fax
• Website
32
Strengthen Your Data's Security with Shield Platform Which Standard Fields and Data Elements Can I Encrypt?
Encryption
• Description
• Account Site
• Mailing Address (encrypts Mailing Street and Mailing City)
• Other Address (encrypts Other Street and Other City)
• Mobile
• Home Phone
• Other Phone
• Assistant Phone
• Email
• Title
• Assistant
Contacts
• Name (encrypts First Name, Middle Name, and Last Name)
• Mailing Address (encrypts Mailing Street and Mailing City)
• Other Address (encrypts Other Street and Other City)
• Phone
• Fax
• Mobile
• Home Phone
• Other Phone
• Asstistant Phone
• Email
• Title
• Assistant
• Description
Leads
• Name (Encrypts First Name, Middle Name, and Last Name)
• Title
• Company
• Address (Encrypts Street and City)
• Phone
• Mobile
• Fax
• Email
• Website
• Description
Opportunities
• Opportunity Name
• Description
33
Strengthen Your Data's Security with Shield Platform Which Custom Fields Can I Encrypt?
Encryption
• Next Step
Cases
• Subject
• Description
Case Comments
• Body (including internal comments)
Contract
• Billing Address (encrypts Billing Street and Billing City)
Other Encrypted Fields and Data Elements
Individual
• Name
Note: The Individual object is available only if you enable the org setting to make data protection details available in records.
Chatter feed
• Feed Comment—Body
• Feed Item—Body
• Feed Item—Title
• Feed Revision—Value
These fields include feed posts, questions and answers, link names, comments, and poll questions. They don’t encrypt poll choices.
The revision history of encrypted Chatter fields is also encrypted. If you edit or update an encrypted Chatter field, the old information
remains encrypted.
Note: Enabling Encryption for Chatter encrypts all eligible Chatter fields. You can’t choose to encrypt only certain Chatter
fields.
Search Indexes
When you encrypt search indexes, each file created to store search results is encrypted.
SEE ALSO:
Encrypt New Data in Fields
Which Custom Fields Can I Encrypt?
You can encrypt the contents of fields that belong to one these custom field types, on either standard or custom objects.
• Email
• Phone
• Text
• Text Area
• Text Area (Long)
• URL
34
Strengthen Your Data's Security with Shield Platform Which Files Are Encrypted?
Encryption
• Date
• Date/Time
After a custom field is encrypted, you can’t change the field type. For custom phone and email fields, you also can’t change the field
format.
Important: When you encrypt the Name field, enhanced lookups are automatically enabled. Enhanced lookups improve the
user’s experience by searching only through records that have been looked up recently, and not all existing records. Switching to
enhanced lookups is a one-way change. You can’t go back to standard lookups, even if you disable encryption.
You can’t use Schema Builder to create an encrypted custom field.
To encrypt custom fields that have the Unique or External ID attribute, you can only use deterministic encryption.
Some custom fields can’t be encrypted:
• Fields on external data objects
• Fields that are used in an account contact relation
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
SEE ALSO:
Encrypt New Data in Fields
Which Files Are Encrypted?
When you enable Shield Platform Encryption for files and attachments, all files and attachments
EDITIONS
that can be encrypted are encrypted. The body of each file or attachment is encrypted when it’s
uploaded. Available as an add-on
These kinds of files are encrypted when you enable file encryption: subscription in: Enterprise,
Performance, and
• Files attached to email
Unlimited Editions. Requires
• Files attached to feeds purchasing Salesforce
• Files attached to records Shield. Available in
Developer Edition at no
• Images included in Rich Text Area fields
charge for orgs created in
• Files on the Content, Libraries, and Files tabs (Salesforce Files, including file previews, and Summer ’15 and later.
Salesforce CRM Content files)
Available in both Salesforce
• Files managed with Salesforce Files Sync and stored in Salesforce
Classic and Lightning
• Files attached to Chatter posts, comments, and the sidebar Experience.
• Notes body text using the new Notes tool
• Files attached to Knowledge articles
• Quote PDFs
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
35
Strengthen Your Data's Security with Shield Platform Which User Permissions Does Shield Platform Encryption
Encryption Require?
Which User Permissions Does Shield Platform Encryption Require?
Assign permissions to your users according to their roles regarding encryption and key management.
EDITIONS
Some users need permission to select data for encryption, while other users require combinations
of permissions to work with certificates or tenant secrets. You can enable these permissions for user Available as an add-on
profiles just like you would any other user permission. subscription in: Enterprise,
Performance, and
Manage Customize View Manage Modify Unlimited Editions. Requires
Encryption Application Setup Certificates All purchasing Salesforce
Keys and Data Shield. Available in
Configuration Developer Edition at no
charge for orgs created in
View Platform Encryption Setup pages
Summer ’15 and later.
Edit Platform Encryption Setup pages,
Available in both Salesforce
excluding Key Management and
Classic and Lightning
Advanced Settings Experience.
Generate, destroy, export, and import
tenant secrets
Query TenantSecret object via the API
Edit, upload, and download
HSM-protected certificates with the
Shield Platform Encryption Bring Your
Own Key service
Edit options on the Advanced
Settings page
The Customize Application and Manage Certificates permissions are automatically enabled for users with the System Administrator
profile.
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
SEE ALSO:
Manage Shield Platform Encryption
36
Strengthen Your Data's Security with Shield Platform Why Isn’t My Encrypted Data Masked?
Encryption
Why Isn’t My Encrypted Data Masked?
If the encryption service isn’t available, data is masked in some types of encrypted fields. This is to
EDITIONS
help you troubleshoot encryption key issues, not to control user access to data. If you have data
that you don’t want some users to see, revisit those users’ field-level security settings, record access Available as an add-on
settings, and object permissions. subscription in: Enterprise,
Encryption prevents outsiders from using your Salesforce data even if they manage to get it. It is Performance, and
not a way to hide data from authenticated users. User permissions are the only way to control data Unlimited Editions. Requires
visibility for authenticated users. Encryption at rest is about logins, not permissions. purchasing Salesforce
Shield. Available in
With Shield Platform Encryption, if a user is authorized to see a given set of data, that user sees that Developer Edition at no
data whether it’s encrypted or not. charge for orgs created in
• Authentication means that making sure only legitimate users can get into your system. For Summer ’15 and later.
example, a company’s Salesforce org is only for use by active employees of that company.
Available in both Salesforce
Anyone who is not an employee is not authenticated; that is, they are barred from logging in. Classic and Lightning
If they do somehow get their hands on the data, it’s useless to them because it is encrypted. Experience.
• Authorization defines which data or features an authenticated user can use. For example, a
sales associate can see and use data in the Leads object, but can’t see the regional forecasts,
which are intended for sales managers. Both the associate and the manager are properly logged in (authenticated), but their
permissions (authorization) are different. That the data is encrypted doesn’t make any difference to them.
In general, data can be masked but not encrypted, or encrypted but not masked. For example, regulators often require that only the last
four digits of a credit card number be visible to users. Applications typically mask the rest of the number, meaning they replace the digits
with asterisks on the user’s screen. Without encryption, you can still read the digits that are masked if you can get to the database where
they are stored.
Masking might not be enough for your credit card numbers. You may or may not want to encrypt them in the database as well. (You
probably should.) If you do, authenticated users will still see the same masked values.
In this way, masking and encryption are different solutions for different problems. You mask data to hide it from users who are authenticated
but not authorized to see that data. You encrypt data to prevent someone from stealing the data. (Or, more precisely, to make the data
useless if someone does steal it.)
The following table shows the fields that use masking. All others don’t.
Field Type Mask What It Means
Email, Phone, Text, Text Area, ????? This field is encrypted, and the encryption key has been
Text Area (Long), URL destroyed.
!!!!! This service is unavailable right now. For help accessing this
service, contact Salesforce.
Custom Date 08/08/1888 This field is encrypted, and the encryption key has been
destroyed.
01/01/1777 This service is unavailable right now. For help accessing this
service, contact Salesforce.
Custom Date/Time 08/08/1888 12:00 PM This field is encrypted, and the encryption key has been
destroyed.
01/01/1777 12:00 PM This service is unavailable right now. For help accessing this
service, contact Salesforce.
37
Strengthen Your Data's Security with Shield Platform Behind the Scenes: The Shield Platform Encryption Process
Encryption
You can’t enter these masking characters into an encrypted field. For example, if a Date field is encrypted and you enter 07/07/1777,
you must enter a different value before it can be saved.
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
Behind the Scenes: The Shield Platform Encryption Process
When users submit data, the application server looks for the org-specific data encryption key in its
EDITIONS
cache. If it isn’t there, the application server gets the encrypted tenant secret from the database
and asks the key derivation server to derive the key. The encryption service then encrypts the data Available as an add-on
on the application server. subscription in: Enterprise,
Salesforce securely generates the master and tenant secrets by using Hardware Security Modules Performance, and
(HSMs). The unique key is derived by using PBKDF2, a Key Derivation Function (KDF), with the master Unlimited Editions. Requires
and tenant secrets as inputs. purchasing Salesforce
Shield. Available in
Developer Edition at no
charge for orgs created in
Summer ’15 and later.
Available in both Salesforce
Classic and Lightning
Experience.
Shield Platform Encryption Process Flow
1. When a Salesforce user saves encrypted data, the runtime engine determines from metadata whether to encrypt the field, file, or
attachment before storing it in the database.
2. If so, the encryption service checks for the matching data encryption key in cached memory.
3. The encryption service determines whether the key exists.
a. If so, the encryption service retrieves the key.
38
Strengthen Your Data's Security with Shield Platform Behind the Scenes: The Search Index Encryption Process
Encryption
b. If not, the service sends a derivation request to a key derivation server and returns it to the encryption service running on the
Salesforce Platform.
4. After retrieving or deriving the key, the encryption service generates a random initialization vector (IV) and encrypts the data using
256-bit AES encryption.
5. The ciphertext is saved in the database or file storage. The IV and corresponding ID of the tenant secret used to derive the data
encryption key are saved in the database.
Salesforce generates a new master secret at the start of each release.
Behind the Scenes: The Search Index Encryption Process
The Salesforce search engine is built on the open-source enterprise search platform software Apache
EDITIONS
Solr. The search index, which stores tokens of record data with links back to the original records
stored in the database, is housed within Solr. Partitions divide the search index into segments to Available as an add-on
allow Salesforce to scale operations. Apache Lucene is used for its core library. subscription in: Enterprise,
Leveraging Shield Platform Encryption’s HSM-based key derivation architecture, metadata, and Performance, and
configurations, Search Index Encryption runs when Shield Platform Encryption is in use. The solution Unlimited Editions. Requires
applies strong encryption on an org-specific search index (.fdt, .tim, and .tip file types) using an purchasing Salesforce
org-specific AES-256 bit encryption key. The search index is encrypted at the search index segment Shield. Available in
level, and all search index operations require index blocks to be encrypted in memory. Developer Edition at no
charge for orgs created in
The only way to access the search index or the key cache is through programmatic APIs. Summer ’15 and later.
A Salesforce security administrator can enable Search Index Encryption from Setup. The administrator
Available in both Salesforce
first creates a tenant secret of the Search Index type, then enables Encryption for Search Indexes. Classic and Lightning
The admin configures their encryption policy by selecting fields and files to encrypt. An org-specific Experience.
HSM-derived key is derived from the tenant secret on demand. The key material is passed to the
search engine’s cache on a secure channel.
The process when a user creates or edits records:
1. The core application determines if the search index segment should be encrypted or not based on metadata.
2. If the search index segment should be encrypted, the encryption service checks for the matching search encryption key ID in the
cached memory.
3. The encryption service determines if the key exists in the cache.
a. If the key exists in the cache, the encryption service uses the key for encryption.
b. Otherwise, the service sends a request to the core application, which in turn sends an authenticated derivation request to a key
derivation server and returns the key to the core application server.
4. After retrieving the key, the encryption service generates a random initialization vector (IV) and encrypts the data using NSS or JCE’s
AES-256 implementation.
5. The key ID (identifier of the key being used to encrypt the index segment) and IV are saved in the search index.
The process is similar when a user searches for encrypted data:
1. When a user searches for a term, the term is passed to the search index, along with which Salesforce objects to search.
2. When the search index executes the search, the encryption service opens the relevant segment of the search index in memory and
reads the key ID and IV.
3. Steps 3 through 5 of the process when a user creates or edits records are repeated.
4. The search index processes the search and returns the results to the user seamlessly.
39
Strengthen Your Data's Security with Shield Platform How Do I Deploy Shield Platform Encryption?
Encryption
If Salesforce admins disable encryption on a field, all index segments that were encrypted are unencrypted and the key ID is set to null.
This process can take up to seven days.
How Do I Deploy Shield Platform Encryption?
When you deploy Shield Platform Encryption to your org with a tool such as Force.com IDE, Migration
EDITIONS
Tool, or Workbench, the Encrypted field attribute persists. However, if you deploy to orgs with
different encryption settings, the effect depends on whether Shield Platform Encryption is enabled Available as an add-on
in the target org. subscription in: Enterprise,
Regardless of how you deploy, Salesforce automatically checks to see if the implementation violates Performance, and
Shield Platform Encryption guidelines. Unlimited Editions. Requires
purchasing Salesforce
Source Organization Target Organization Result Shield. Available in
Developer Edition at no
Shield Platform Encryption Shield Platform Encryption The source Encrypted field charge for orgs created in
enabled enabled attribute indicates enablement Summer ’15 and later.
Shield Platform Encryption Shield Platform Encryption not The Encrypted field attribute is Available in both Salesforce
enabled enabled ignored Classic and Lightning
Experience.
Shield Platform Encryption not Shield Platform Encryption The target Encrypted field
enabled enabled attribute indicates enablement
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
How Does Shield Platform Encryption Work In a Sandbox?
Refreshing a sandbox from a production organization creates an exact copy of the production
EDITIONS
organization. If Shield Platform Encryption is enabled on the production organization, all encryption
settings are copied, including tenant secrets created in production. Available as an add-on
Once a sandbox is refreshed, tenant secret changes are confined to your current organization. This subscription in: Enterprise,
means that when you rotate or destroy a tenant secret on sandbox, it doesn’t affect the production Performance, and
organization. Unlimited Editions. Requires
purchasing Salesforce
As a best practice, rotate tenant secrets on sandboxes after a refresh. Rotation ensures that production Shield. Available in
and sandbox use different tenant secrets. Destroying tenant secrets on a sandbox renders encrypted Developer Edition at no
data unusable in cases of partial or full copies. charge for orgs created in
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the Summer ’15 and later.
difference? Available in both Salesforce
Classic and Lightning
Experience.
40
Strengthen Your Data's Security with Shield Platform Shield Platform Encryption Terminology
Encryption
Shield Platform Encryption Terminology
Encryption has its own specialized vocabulary. To get the most out of your Shield Platform Encryption
EDITIONS
features, it’s a good idea to familiarize yourself with the key terms, such as hardware security module,
key rotation, and master secret. Available as an add-on
Data Encryption subscription in: Enterprise,
The process of applying a cryptographic function to data that results in ciphertext. The platform Performance, and
encryption process uses symmetric key encryption and a 256-bit Advanced Encryption Standard Unlimited Editions. Requires
(AES) algorithm using CBC mode, and a randomized, 128-bit initialization vector (IV) to encrypt purchasing Salesforce
field-level data and files stored on the Salesforce Platform. Both data encryption and decryption Shield. Available in
occur on the application servers. Developer Edition at no
charge for orgs created in
Data Encryption Keys Summer ’15 and later.
Shield Platform Encryption uses data encryption keys to encrypt and decrypt data. Data
encryption keys are derived on a key derivation server using keying material split between a Available in both Salesforce
per-release master secret and an organization-specific tenant secret stored encrypted in the Classic and Lightning
database as a part of your organization. The 256-bit derived keys exist in memory until evicted Experience.
from the cache.
Encrypted Data at Rest
Data that is encrypted when stored on disk. Salesforce supports encryption for fields stored in the database, documents stored in
Files, Content Libraries, and Attachments, and archived data.
Encryption Key Management
Refers to all aspects of key management, such as key creation, processes, and storage. Tenant secret management is performed by
administrators or users who have the “Manage Encryption Keys” permission.
Hardware Security Module (HSM)
Used to provide cryptography processing as well as key management for authentication. Shield Platform Encryption uses HSMs to
generate and store secret material and run the function that derives data encryption keys used by the encryption service to encrypt
and decrypt data.
Initialization Vector (IV)
A random sequence used with a key to encrypt data.
Shield Key Management Service (KMS)
Uses a pseudorandom number generator and input such as a password to derive keys. Shield Platform Encryption uses PBKDF2
(Password-based Key Derivation Function 2) with HMAC-SHA-256.
Key (Tenant Secret) Rotation
The process of generating a new tenant secret and archiving the previously active one. Active tenant secrets are used for both
encryption and decryption. Archived ones are used only for decryption until all data has been re-encrypted using the new, active
tenant secret.
Master HSM
The master HSM consists of a USB device used to generate secure, random secrets each Salesforce release. The master HSM is
“air-gapped” from Salesforce’s production network and stored securely in a bank safety deposit box.
Master Secret
Used in conjunction with the tenant secret and key derivation function to generate a derived data encryption key. The master secret
is updated each release by Salesforce and encrypted using the per-release master wrapping key, which is in turn encrypted with the
Key Derivation Servers’ public key so it can be stored encrypted on the file system. Only HSMs can decrypt it. No Salesforce employees
have access to these keys in cleartext.
41
Strengthen Your Data's Security with Shield Platform What’s the Difference Between Classic Encryption and Shield
Encryption Platform Encryption?
Master Wrapping Key
A symmetric key is derived and used as a master wrapping key, also known as a key wrapping key, encrypting all the per-release
keys and secrets bundle.
Tenant Secret
An organization-specific secret used in conjunction with the master secret and key derivation function to generate a derived data
encryption key. When an organization administrator rotates a key, a new tenant secret is generated. To access the tenant secret via
the API, refer to the TenantSecret object. No Salesforce employees have access to these keys in cleartext.
What’s the Difference Between Classic Encryption and Shield Platform
Encryption?
With Shield Platform Encryption, you can encrypt a variety of widely used standard fields, along
EDITIONS
with some custom fields and many kinds of files. Shield Platform Encryption also supports person
accounts, cases, search, approval processes, and other key Salesforce features. Classic encryption Available as an add-on
lets you protect only a special type of custom text field, which you create for that purpose. subscription in: Enterprise,
Performance, and
Feature Classic Encryption Platform Encryption Unlimited Editions. Requires
purchasing Salesforce
Pricing Included in base user Additional fee applies
Shield. Available in
license
Developer Edition at no
Encryption at Rest charge for orgs created in
Summer ’15 and later.
Native Solution (No Hardware or Software
Required) Available in both Salesforce
Classic and Lightning
Encryption Algorithm 128-bit Advanced 256-bit Advanced Experience.
Encryption Standard Encryption Standard
(AES) (AES)
HSM-based Key Derivation
Manage Encryption Keys Permission
Generate, Export, Import, and Destroy Keys
PCI-DSS L1 Compliance
Masking
Mask Types and Characters
View Encrypted Data Permission Required
to Read Encrypted Field Values
Encrypted Standard Fields
Encrypted Attachments, Files, and Content
Encrypted Custom Fields Dedicated custom field
type, limited to 175
characters
42
Strengthen Your Data's Security with Shield Platform Platform Encryption Best Practices
Encryption
Feature Classic Encryption Platform Encryption
Encrypt Existing Fields for Supported Custom Field Types
Search (UI, Partial Search, Lookups, Certain SOSL Queries)
API Access
Available in Workflow Rules and Workflow Field Updates
Available in Approval Process Entry Criteria and Approval Step
Criteria
Platform Encryption Best Practices
Take the time to identify the most likely threats to your organization. This helps you distinguish
EDITIONS
data that needs encryption from data that doesn’t, so that you can encrypt only what you need to.
Make sure that your tenant secret and keys are backed up, and be careful who you allow to manage Available as an add-on
your secrets and keys. subscription in: Enterprise,
1. Define a threat model for your organization. Performance, and
Unlimited Editions. Requires
To identify the threats that are most likely to affect your organization, walk through a formal
purchasing Salesforce
threat modeling exercise. Use your findings to create a data classification scheme, which can Shield. Available in
help you decide what data to encrypt. Developer Edition at no
charge for orgs created in
2. Encrypt only where necessary.
Summer ’15 and later.
• Not all data is sensitive. Focus on information that requires encryption to meet your
regulatory, security, compliance, and privacy requirements. Unnecessarily encrypting data Available in both Salesforce
impacts functionality and performance. Classic and Lightning
Experience.
• Evaluate your data classification scheme early and work with stakeholders in security,
compliance, and business IT departments to define requirements. Balance business-critical
functionality against security and risk measures and challenge your assumptions periodically.
3. Create a strategy early for backing up and archiving keys and data.
If your tenant secrets are destroyed, reimport them to access your data. You are solely responsible for making sure that your data
and tenant secrets are backed up and stored in a safe place. Salesforce cannot help you with deleted, destroyed, or misplaced tenant
secrets.
4. Read the Shield Platform Encryption considerations and understand their implications on your organization.
• Evaluate the impact of the considerations on your business solution and implementation.
• Test Shield Platform Encryption in a sandbox environment before deploying to a production environment.
• Before enabling encryption, fix any violations that you uncover. For example, referencing encrypted fields in a SOQL WHERE
clause triggers a violation. Similarly, if you reference encrypted fields in a SOQL ORDER BY clause, a violation occurs. In both cases,
fix the violation by removing references to the encrypted fields.
5. Analyze and test AppExchange apps before deploying them.
• If you use an app from the AppExchange, test how it interacts with encrypted data in your organization and evaluate whether
its functionality is affected.
43
Strengthen Your Data's Security with Shield Platform Platform Encryption Best Practices
Encryption
• If an app interacts with encrypted data that's stored outside of Salesforce, investigate how and where data processing occurs
and how information is protected.
• If you suspect Shield Platform Encryption could affect the functionality of an app, ask the provider for help with evaluation. Also
discuss any custom solutions that must be compatible with Shield Platform Encryption.
• Apps on the AppExchange that are built exclusively using Lightning Platform inherit Shield Platform Encryption capabilities and
limitations.
6. Platform Encryption is not a user authentication or authorization tool. To control which users can see which data, use field-level
security settings, page layout settings, and validation rules, not Platform Encryption.
7. Grant the “Manage Encryption Keys” user permission to authorized users only.
Users with the “Manage Encryption Keys” permission can generate, export, import, and destroy organization-specific keys. Monitor
the key management activities of these users regularly with the setup audit trail.
8. Mass-encrypt your existing data.
Existing field and file data is not automatically encrypted when you turn on Shield Platform Encryption. To encrypt existing field
data, update the records associated with the field data. This action triggers encryption for these records so that your existing data
is encrypted at rest. To encrypt existing files, contact Salesforce.
9. Don't use Currency and Number fields for sensitive data.
You can often keep private, sensitive, or regulated data safe without encrypting associated Currency or Number fields. Encrypting
these fields could have broad functional consequences across the platform, such as disruptions to roll-up summary reports, report
timeframes, and calculations, so they are not encryptable.
10. Communicate to your users about the impact of encryption.
Before you enable Shield Platform Encryption in a production environment, inform users about how it affects your business solution.
For example, share the information described in Shield Platform Encryption considerations, where it's relevant to your business
processes.
11. Encrypt your data using the most current key.
When you generate a new tenant secret, any new data is encrypted using this key. However, existing sensitive data remains encrypted
using previous keys. In this situation, Salesforce strongly recommends re-encrypting these fields using the latest key. Contact Salesforce
for help with re-encrypting your data.
SEE ALSO:
Tradeoffs and Limitations of Shield Platform Encryption
44
Strengthen Your Data's Security with Shield Platform Tradeoffs and Limitations of Shield Platform Encryption
Encryption
Tradeoffs and Limitations of Shield Platform Encryption
A security solution as powerful as Shield Platform Encryption doesn't come without some tradeoffs.
EDITIONS
When your data is encrypted, some users may see limitations to some functionality, and a few
features aren't available at all. Consider the impact on your users and your overall business solution Available as an add-on
as you design your encryption strategy. subscription in: Enterprise,
Performance, and
IN THIS SECTION: Unlimited Editions. Requires
purchasing Salesforce
General Shield Platform Encryption Considerations Shield. Available in
These considerations apply to all data that you encrypt using Shield Platform Encryption. Developer Edition at no
Which Salesforce Apps Don’t Support Shield Platform Encryption? charge for orgs created in
Summer ’15 and later.
Some Salesforce features work as expected when you work with data that’s encrypted with
Shield Platform Encryption. Others don’t. Available in both Salesforce
Considerations for Using Deterministic Encryption (Beta) Classic and Lightning
Experience.
Shield Platform Encryption and the Lightning Experience
Shield Platform Encryption works the same way in the Lightning Experience as it does in
Salesforce Classic, with a few minor exceptions.
Field Limits with Shield Platform Encryption
Under certain conditions, encrypting a field can impose limits on the values that you store in that field. If you expect users to enter
non-ASCII values, such as Chinese, Japanese, or Korean-encoded data, we recommend creating validation rules to enforce these
limits.
SEE ALSO:
Platform Encryption Best Practices
General Shield Platform Encryption Considerations
These considerations apply to all data that you encrypt using Shield Platform Encryption.
EDITIONS
Leads Available as an add-on
subscription in: Enterprise,
Lead and Case assignment rules, workflow rules, and validation rules work normally when Lead Performance, and
fields are encrypted. Matching and de-duplication of records during lead import works with Unlimited Editions. Requires
deterministically encryption, but not probabilistic encryption. Einstein Lead Scoring is not available. purchasing Salesforce
Shield. Available in
Apex Lead Conversion works normally, but PL-SQL-based lead conversion is not supported.
Developer Edition at no
charge for orgs created in
Flows and Processes Summer ’15 and later.
You can reference encrypted fields in most places in your flows and processes. However, you can’t Available in both Salesforce
reference encrypted fields in these filtering or sorting contexts. Classic and Lightning
Experience.
Tool Filtering Availability Sorting Availability
Process Builder Update Records action n/a
45
Strengthen Your Data's Security with Shield Platform General Shield Platform Encryption Considerations
Encryption
Tool Filtering Availability Sorting Availability
Cloud Flow Designer Dynamic Record Choice resource Dynamic Record Choice resource
Fast Lookup element Fast Lookup element
Record Delete element Record Lookup element
Record Lookup element
Record Update element
You can store the value from an encrypted field in a variable and operate on that value in your flow’s logic. You can also update the
value for an encrypted field.
Paused flow interviews can result in data being saved in an unencrypted state. When a flow or process is waiting to resume, the associated
flow interview is serialized and saved to the database. The flow interview is serialized and saved when:
• Users pause a flow
• Flows execute a Wait element
• Processes are waiting to execute scheduled actions
If the flow or process loads encrypted fields into a variable during these processes, that data might not be encrypted at rest.
Custom Fields
You can’t use encrypted custom fields in criteria-based sharing rules.
Some custom fields can’t be encrypted.
• Fields that have the Unique or External ID attributes or include these attributes on previously encrypted custom fields
(applies only to fields that use the probabilistic encryption scheme)
• Fields on external data objects
• Fields that are used in an account contact relation
You can’t use Schema Builder to create an encrypted custom field.
SOQL/SOSL
• Encrypted fields that use the probabilistic encryption scheme can’t be used with the following SOQL and SOSL clauses and functions:
– Aggregate functions such as MAX(), MIN(), and COUNT_DISTINCT()
– WHERE clause
– GROUP BY clause
– ORDER BY clause
For information about SOQL and SOSL compatibility with deterministic encryption, see Considerations for Using Deterministic
Encryption in Salesforce Help.
Tip: Consider whether you can replace a WHERE clause in a SOQL query with a FIND query in SOSL.
• When you query encrypted data, invalid strings return an INVALID_FIELD error instead of the expected MALFORMED_QUERY.
46
Strengthen Your Data's Security with Shield Platform General Shield Platform Encryption Considerations
Encryption
Portals
If a portal is enabled in your organization, you can’t encrypt standard fields. Deactivate all customer portals and partner portals to enable
encryption on standard fields. (Communities are supported.)
To deactivate a customer portal, go to the Customer Portal Settings page in Setup. To deactivate a partner portal, go to the Partners
page in Setup.
Search
If you encrypt fields with a key and then destroy the key, the corresponding search terms remain in the search index. However, you can’t
decrypt the data associated with the destroyed key.
Accounts, Person Accounts, and Contacts
When Person Accounts are turned on, encrypting any of the following Account fields encrypts the equivalent Contact fields, and vice
versa.
• Name
• Description
• Phone
• Fax
When you encrypt any of the following Account or Contact fields, the equivalent fields in Person Accounts are also encrypted.
• Name
• Description
• Mailing Address
• Phone
• Fax
• Mobile
• Home Phone
• Other Phone
• Email
When the Account Name or Contact Name field is encrypted, searching for duplicate accounts or contacts to merge doesn’t return any
results.
When you encrypt the First Name or Last Name field on a contact, that contact appears in the Calendar Invite lookup only if you haven’t
filtered by First Name or Last Name.
Email to Salesforce
When the standard Email field is encrypted, the detail page for Contacts, Leads, or Person Accounts doesn’t flag invalid email addresses.
If you need bounce processing to work as expected, don't encrypt the standard Email field.
Salesforce for Outlook
If you encrypt the same fields that you filter in Salesforce for Outlook data sets, Salesforce for Outlook doesn’t sync. To get Salesforce for
Outlook to sync again, remove the encrypted fields from your filters in your data sets.
47
Strengthen Your Data's Security with Shield Platform General Shield Platform Encryption Considerations
Encryption
Campaigns
Campaign member search isn’t supported when you search by encrypted fields.
Notes
You can encrypt the body text of Notes created with the new Notes tool. However, the Preview file and Notes created with the old Notes
tool aren’t supported.
Field Audit Trail
Data in a previously archived Field Audit Trail isn’t encrypted when you turn on Platform Encryption. For example, say that your org uses
Field Audit Trail to define a data history retention policy for an account field, such as the phone number field. When you turn on encryption
for that field, new phone number records are encrypted as they are created. Previous updates to the phone number field that are stored
in the Account History related list are also encrypted. However, phone number history data that is already archived in the
FieldHistoryArchive object is stored without encryption. To encrypt previously archived data, contact Salesforce.
Communities
If you encrypt the Account Name field and you’re not using Person Accounts, encryption affects how users’ roles are displayed to admins.
Normally, a community user’s role name is displayed as a combination of their account name and the name of their user profile. When
you encrypt the Account Name field, the account ID is displayed instead of the account name.
For example, when the Account Name field is not encrypted, users belonging to the Acme account with the Customer User profile would
have a role called Acme Customer User. When Account Name is encrypted (and Person Accounts aren’t in use), the role is displayed
as something like 001D000000IRt53 Customer User.
Data Import
You can’t use the Data Import Wizard to perform matching using master-detail relationships or update records that contain fields that
use the probabilistic encryption scheme. You can use it to add new records, however.
Reports, Dashboards, and List Views
• Report charts and dashboard components that display encrypted field values might be cached unencrypted.
• You can’t sort records in list views by fields that contain encrypted data.
Encryption for Chatter
When you embed a custom component in your Chatter feed using Rich Publisher Add-Ons, the data related to those add-ons is encoded,
but it isn’t encrypted with the Shield Platform Encryption service. Unencrypted data in Rich Publisher Add-Ons includes data stored in
the Extension ID, Text Representation, Thumbnail URL, Title, Payload, and PayloadVersion fields.
Encryption for Custom Matching Rules Used in Duplicate Management (Beta)
Custom matching rules can only reference fields encrypted with the deterministic encryption scheme. Probabilistic encryption isn’t
supported. Custom matching rules can detect exact case-sensitive and case-insensitive matches, but not fuzzy matches. When you
rotate your keys, you must deactivate and then reactivate custom matching rules that reference encrypted fields. If you don’t take this
step after updating your key material, matching rules don’t find all your encrypted data.
48
Strengthen Your Data's Security with Shield Platform Which Salesforce Apps Don’t Support Shield Platform
Encryption Encryption?
Standard matching rules that include fields with Shield Platform Encryption don’t detect duplicates. If you encrypt a field included in
standard matching rules, deactivate the standard rule.
General
• Encrypted fields can’t be used in:
– Criteria-based sharing rules
– Similar opportunities searches
– External lookup relationships
– Filter criteria for data management tools
• Live Agent chat transcripts are not encrypted at rest.
• Web-to-Case is supported, but the Web Company, Web Email, Web Name, and Web Phone fields are not encrypted at rest.
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
Which Salesforce Apps Don’t Support Shield Platform Encryption?
Some Salesforce features work as expected when you work with data that’s encrypted with Shield
EDITIONS
Platform Encryption. Others don’t.
These apps don’t support data encrypted with Shield Platform Encryption. However, you can enable Available as an add-on
Shield Platform Encryption for other apps when these apps are in use. subscription in: Enterprise,
Performance, and
• Connect Offline
Unlimited Editions. Requires
• Commerce Cloud purchasing Salesforce
• Data.com Shield. Available in
Developer Edition at no
• Einstein Engine
charge for orgs created in
• Heroku (but Heroku Connect does support encrypted data) Summer ’15 and later.
• Marketing Cloud (but Marketing Cloud Connect does support encrypted data)
Available in both Salesforce
• Pardot (but Pardot Connect supports encrypted contact email addresses if your Pardot org Classic and Lightning
allows multiple prospects with the same email address) Experience.
• Salesforce CPQ
• Salesforce IQ
• Salesforce Mobile Classic
• Social Customer Service
• Thunder
• Quip
Legacy portals (customer, self-service, and partner) don’t support data encrypted with Shield Platform Encryption. If legacy portals are
active, Shield Platform Encryption can’t be enabled.
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
49
Strengthen Your Data's Security with Shield Platform Considerations for Using Deterministic Encryption (Beta)
Encryption
Considerations for Using Deterministic Encryption (Beta)
Available Fields and Other Data
The deterministic encryption option is available for custom URL, email, phone, text, and text area field types. It isn’t available for the
following types of data:
• Custom date, date/time, long text area, or description field types
• Chatter
• Files and attachments
Filter Operators
In reports and list views, the operators “equals” and “not equal to” are supported with deterministic encryption. Other operators, like
“contains” or “starts with,” don’t return an exact match and aren’t supported.
Case Sensitivity
When you use deterministic encryption, case matters. In reports, list views, and SOQL queries on encrypted fields, the results are
case-sensitive. Therefore, a SOQL query against the Contact object, where LastName = 'Jones’, returns only Jones, not jones nor JONES.
Similarly, when the filter-preserving scheme tests for unicity (uniqueness), each version of “Jones” is unique.
API Options to Identify Filterable Fields
Fields encrypted using the deterministic encryption scheme are filterable. You can use the isFilterable() method to determine
the encryption scheme of a particular encrypted field. The method returns true if the field is filterable. However, you can’t explicitly detect
or set the deterministic encryption scheme via the API.
External ID
You can enable the external ID for deterministically encrypted fields when you use the Unique - Case-Sensitive attribute.
Compound Names
Even with deterministic encryption, some kinds of searches don’t work when data is encrypted. Concatenated values, such as compound
names, aren’t the same as the separate values. For example, the ciphertext for the compound name “William Jones” is not the same as
the concatenation of the ciphertexts for “William” and “Jones”.
So, if the First Name and Last Name fields are encrypted in the Contacts object, this query doesn’t work:
Select Id from Contact Where Name = 'William Jones'
But this query does work:
Select Id from Contact Where FirstName = 'William’ And LastName ='Jones'
50
Strengthen Your Data's Security with Shield Platform Shield Platform Encryption and the Lightning Experience
Encryption
SOQL GROUP BY Statements
You can use most of the SOQL statements with deterministic encryption. One exception is GROUP BY, which isn’t supported, even though
you can group report results by row or column.
SOQL ORDER BY Statements
Because deterministic encryption doesn’t maintain the sort order of encrypted data in the database, ORDER BY isn’t supported.
Indexes
Deterministic encryption supports single-column indexes and single-column case-sensitive unique indexes. However, custom indexes
on standard fields and two-column indexes aren’t supported.
Shield Platform Encryption and the Lightning Experience
Shield Platform Encryption works the same way in the Lightning Experience as it does in Salesforce
EDITIONS
Classic, with a few minor exceptions.
Notes Available as an add-on
Note previews in Lightning are not encrypted. subscription in: Enterprise,
Performance, and
File Encryption Icon
Unlimited Editions. Requires
The icon that indicates that a file is encrypted doesn’t appear in Lightning.
purchasing Salesforce
Shield. Available in
Developer Edition at no
charge for orgs created in
Summer ’15 and later.
Available in both Salesforce
Classic and Lightning
Experience.
Field Limits with Shield Platform Encryption
Under certain conditions, encrypting a field can impose limits on the values that you store in that
EDITIONS
field. If you expect users to enter non-ASCII values, such as Chinese, Japanese, or Korean-encoded
data, we recommend creating validation rules to enforce these limits. Available as an add-on
subscription in: Enterprise,
API Byte Non-ASCII Characters Performance, and
Length Length Unlimited Editions. Requires
Assistant Name (Contact) 40 120 22 purchasing Salesforce
Shield. Available in
City (Account, Contact, Lead) 40 120 22 Developer Edition at no
charge for orgs created in
Email (Contact, Lead) 80 240 70 Summer ’15 and later.
Fax (Account) 40 120 22 Available in both Salesforce
First Name (Account, Contact, Lead) 40 120 22 Classic and Lightning
Experience.
Last Name (Contact, Lead) 80 240 70
51
Strengthen Your Data's Security with Shield Platform Field Limits with Shield Platform Encryption
Encryption
API Length Byte Length Non-ASCII Characters
Middle Name (Account, Contact, Lead) 40 120 22
Name (Opportunity) 120 360 110
Phone (Account, Contact) 40 120 22
Site (Account) 80 240 70
Title (Contact, Lead) 128 384 126
Note: This list isn’t exhaustive. For information about a field not shown here, refer to the API.
Case Comment Object
The Body field on the Case Comment object has a limit of 4,000 ASCII characters (or 4,000 bytes). However, when these fields are
encrypted, the character limit is lower. How much lower depends on the kind of characters you enter.
• ASCII: 2959
• Chinese, Japanese, Korean: 1333
• Other non-ASCII: 1479
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
SEE ALSO:
Encrypt New Data in Fields
52