Skip to main content
Build the future with Agentforce at TDX in San Francisco or on Salesforce+ on March 5–6. Register now.

Get Started with Platform Encryption for Data Cloud

Learning Objectives

After completing this unit, you’ll be able to:

  • Explain how Data Cloud uses Shield Platform Encryption.
  • Identify the permissions that admins need to manage Platform Encryption for Data Cloud.
  • Configure Platform Encryption for Data Cloud.
  • Audit the Data Cloud encryption to ensure security and compliance.

What Is Platform Encryption for Data Cloud?

Platform Encryption for Data Cloud is an at-rest encryption feature that adds extra security for your sensitive Data Cloud data. As soon as you enable it, it starts encrypting all of your Data Cloud data. You can use Salesforce-generated keys for encryption.

As a Salesforce admin, you can use Platform Encryption for Data Cloud to control data security and meet regulatory standards. Your auditors can access audit trails and encryption statistics to verify compliance. And your customers feel safe knowing that their data is protected.

Platform Encryption for Data Cloud banner.

What Can You Protect with Platform Encryption for Data Cloud?

Shield Platform Encryption complies with regulations like GDPR, HIPAA, and CCPA. It secures both customer data and metadata in Salesforce Data Cloud using AES-256 encryption. Encryption is done using customer-managed keys (CMKs) managed through Shield with integration into AWS Key Management Service (KMS) for added security.

What Permissions Do You Need?

To implement Platform Encryption for Data Cloud, you must be a Salesforce admin with the following permissions.

  • View Setup and Configuration: This permission enables you to access encryption settings and review the configuration within the Salesforce setup. Admins usually already have this permission.
  • Manage Encryption Keys: This permission lets you create, manage, and rotate encryption keys.
  • Customize Application: This permission lets you modify encryption settings and manage encryption policies within Salesforce.

We recommend that you create a permission set that colocates the Manage Encryption Keys and Customize Application permissions. Then you can assign that permission set to only those admins who will be managing your encryption.

What’s the Process for Implementing Platform Encryption for Data Cloud?

Implementing Platform Encryption for Data Cloud involves the following tasks.

Provision the license: Platform Encryption for Data Cloud is an add-on to Data Cloud. You must also have an active Shield Platform Encryption license.

Assign permissions: Create a permission set with the Manage Encryption Keys and Customize Application permissions and assign it to the admins who will be managing Shield Platform Encryption. This set enables your admins to manage all Shield Platform Encryption features, including Platform Encryption for Data Cloud.

Generate a tenant secret: Make sure your org has at least one tenant secret. If none are listed in Setup on the Key Management page, click Generate Tenant Secret to create one.

Key Management Page with no tenant secrets created yet.

Enable Data Cloud encryption: In Setup, find Encryption Settings and turn on Manage Data Cloud Keys. Salesforce creates your first Data Cloud root key for you. Encryption for your Data Cloud data begins right away.

Encryption Policy Page showing Manage Data Cloud Keys toggle.

Establish a key rotation policy: To enhance security, rotate your keys every so often. A typical key rotation schedule is every 12 months. On the Key Management page, you’ll see your active and archived keys.

Key Inventory and Management Page showing Data Cloud root keys.

Active root keys are used for encrypting and decrypting new data. They are archived when a new root key is created and used only for decrypting data encrypted by the root key before it was archived.

As you can see, setting up Platform Encryption for Data Cloud is a relatively quick process. And the great thing is that as soon as it’s enabled, we create a root key for you and begin encrypting your Data Cloud data right away.

Audit Platform Encryption for Data Cloud

There are three ways to prove that Data Cloud is securely encrypting data with Platform Encryption for Data Cloud.

Review the Key Management Page

The Key Management page shows detailed information about your encryption keys, including their generator, status (Active or Archived), and management options. To access it, type Key Management in the Quick Find box, and select Key Management.

Use Setup Audit Trail

You can use Setup Audit Trail to verify when Data Cloud encryption was enabled. To find it, in Setup, type View Setup Audit Trail in the Quick Find box and select View Setup Audit Trail. This audit trail provides a detailed log of when encryption settings were toggled and helps you confirm that encryption has been consistently applied.

Analyze Encryption Statistics

The Encryption Statistics page in Setup summarizes the encryption status of your data stores, including Data Cloud. Use it to verify encryption coverage and spot any discrepancies. Access it by typing Platform Encryption in the Quick Find box and selecting Encryption Statistics.

But Wait, There’s More!

Shield Platform Encryption offers comprehensive features for encrypting other Salesforce data at rest. Check out the Shield Platform Encryption module to learn more.

Resources

Share your Trailhead feedback over on Salesforce Help.

We'd love to hear about your experience with Trailhead - you can now access the new feedback form anytime from the Salesforce Help site.

Learn More Continue to Share Feedback