Skip to main content

Get to Know Shield Platform Encryption

Learning Objectives

After completing this unit, you’ll be able to:

  • Define encryption and describe how it protects data.
  • Explain the relationship between tenant secrets, keys, and primary secrets.
  • Explain the benefits of using Shield Platform Encryption

What Is Encryption?

Encryption is like a digital lock that keeps your data safe. It transforms sensitive information into a coded format that can only be deciphered with a specific key. This way, even if someone gains unauthorized access, they won’t be able to read your data.

At its most basic level, encryption scrambles information so that only people with the right decoder key can unscramble it. These scrambling mechanisms vary in complexity. Some use simple substitution, like exchanging a number for a letter. For example, if we use this method with the encryption key in the next graphic, “Trailhead” would look like “Xvemplieh”. A lock with an encryption key

Other systems use complex algorithms that use multiple keys to scramble and unscramble data. In this way, encryption helps prevent unauthorized people from accessing your data.

How Does Shield Platform Encryption Work?

The basis of encryption is scrambling and unscrambling. Keys do the scrambling and unscrambling, and secrets keep your keys safe and working properly.

A key is a string of characters that scramble and unscramble data. Just like a physical key can lock and unlock a door, encryption keys lock and unlock data to make it unreadable or readable. Some information can be accessed with only one key. Other keys work in pairs, with one key dedicated to the scrambling task and the other to the unscrambling task.

Secrets are pieces of keys that combine to create encryption keys, allow servers to verify that a key is up to date, and ensure that requests for access to your data are from authorized key holders.

Secrets and Keys

  • Tenant secrets: They’re unique to your Salesforce org and used to generate encryption keys. Your tenant secret partners with the primary secret in a key derivation function (KDF) to create the keys that encrypt and decrypt your data.
  • Primary secrets: Pair with tenant secrets to create the encryption keys that are used to encrypt and decrypt data. Salesforce generates a new primary secret three times a year, with each release.
  • Encryption keys: These keys encrypt and decrypt your data. Salesforce manages them, but you can also use your own keys for added control.

Why Use Shield Platform Encryption?

Shield Platform Encryption is a Salesforce feature that encrypts your data at rest—data stored on servers, in databases, search index files, and file systems. For some orgs, Shield Platform Encryption can be an effective additional layer of compliance.

Here are some key benefits.

  • Comprehensive protection: Use database encryption to protect all data, including standard fields, custom fields, custom metadata, and Apex data. Database encryption supports full filtering, querying, searching, and sorting of encrypted data.
Note

Database encryption hasn’t yet been deployed to all Hyperforce regions and instances. For product availability and purchasing information, contact your account executive.

  • Compliance with regulations: Shield Platform Encryption helps you meet regulatory and compliance requirements, ensuring that your data is protected according to industry standards.
  • Support for external key management: Features like external key management (EKM) and bring your own key (BYOK) allow you to use your existing key management infrastructure. This provides greater control and flexibility over your encryption keys.
  • Searchable data: Shield Platform Encryption is natively integrated into the Salesforce Platform. It uses metadata to identify encrypted data, ensuring that critical business functionalities like partial search, filtering, and sorting continue to work, even with encrypted data.
  • Flexible encryption options: Field-level encryption (FLE) is available for use cases that require field-by-field encryption at the application tier. FLE uses probabilistic encryption by default, with an option for deterministic encryption when filtering functionality is critical.

We suggest checking with a security, legal, and regulatory specialist to help determine if Shield Platform Encryption is the right solution for your org.

Deploy Shield Platform Encryption the Smart Way

To successfully deploy Shield Platform Encryption, thorough planning and testing are essential. Follow these steps to ensure a secure and compliant implementation.

  • Understand the impact: Before enabling, understand how it will affect your organization. Test in a sandbox environment to identify any issues and ensure applications and integrations work as expected.
  • Plan your rollout: Develop a detailed plan for enabling encryption. Consider the order in which you will encrypt fields. A phased rollout of org migrations is recommended for 80 or more encrypted fields.
  • Monitor performance: After enabling encryption, monitor the performance of your org. Use the setup audit trail to track key management activities and ensure everything is functioning as expected.
  • Educate your team: Train your team on the new encryption features and best practices. Ensure everyone understands how to manage encryption keys and handle encrypted data.
  • Regularly review and update: Regularly review your encryption settings and update them as needed. Stay informed about new features and best practices to ensure ongoing security and compliance.
Share your Trailhead feedback over on Salesforce Help.

We'd love to hear about your experience with Trailhead - you can now access the new feedback form anytime from the Salesforce Help site.

Learn More Continue to Share Feedback