Skip to main content

Get Started with Shield Platform Encryption


Attention, Trailblazer!

Salesforce has two different desktop user interfaces: Lightning Experience and Salesforce Classic. This module is designed for Lightning Experience.

Learning Objectives

After completing this unit, you’ll be able to:

  • Define encryption and describe how it protects data.
  • Describe the difference between Classic Encryption and Shield Platform Encryption.
  • Explain the relationship between tenant secrets, keys, and primary secrets.
  • Identify the permissions needed to set up Shield Platform Encryption in an org.

Crash Course: Encryption 101

When you hear the word encryption, do you think of war-time spies writing down strings of numbers to smuggle troop maneuvers across the border? Or perhaps you think about tech-savvy criminals hacking into a corporation’s secure accounting system to skim millions of dollars into a getaway fund. Or maybe you think of your own online accounts and how your password turns into little dots that hide what you type. Does that count as encryption?

Yep, all these scenarios involve encryption. So let’s look at how encryption works, and see how Shield Platform Encryption can help you keep the information in your Salesforce org safe and secure.

What Is Encryption?

At its most basic level, encryption scrambles information so that only those people with the right decoder key can unscramble it. These scrambling mechanisms vary in complexity. Some use simple substitution, like exchanging a number for a letter. For example, if we used this method with the encryption key in the graphic below, “Trailhead” would look like “Xvemplieh”.

Substitution cipher

Other systems use complex algorithms that use multiple keys to scramble and unscramble data. In this way, encryption helps prevent unauthorized people from accessing your data.

What Kind of Data Can I Encrypt?

You can encrypt all kinds of data. Phone numbers, dates, names, text files, images, you name it. If it’s recorded digitally, you can encrypt it. Shield Platform Encryption encrypts data at rest, meaning that we encrypt it when it’s being stored within Salesforce.

Should I Encrypt My Data?

There are many factors to consider before deciding if you should encrypt your data at rest. Shield Platform Encryption should only be implemented after careful consideration, including an analysis of the kinds of threats your organization should protect against, and which Salesforce security controls can best help you protect against those threats.

Most Salesforce customers secure their data very effectively using the host of other available security features that Salesforce offers. For example, field-level security allows you control over who can access and edit certain fields. Authentication and authorization techniques also allow you to control not only who sees what data, but at what time, and from which locations and devices. You can even monitor these activities using tools like the Security Health Check and Event Monitoring.

But do you need to go the extra mile and encrypt your data? That depends on your industry, its regulatory requirements, and the kind of data you work with. Most companies and organizations are subject to some kind of regulation when keeping customer data secure. Also, contractual obligations and internal compliance policies often emphasize protecting client and customer data. While most data protection regulations don't require that businesses encrypt data at rest, most mention encryption as another access control tool for securing data at rest.

For some customers, Shield Platform Encryption can be an effective additional layer of compliance.

For an answer that's specific to your circumstances, check with a security, legal, and regulatory specialist. They can take your organization through a formal security evaluation and help you find the best solution.

The Salesforce Solution: Shield Platform Encryption

Let’s dig into how Shield Platform Encryption secures data at rest using an advanced key derivation system.

Whoa, whoa, whoa, you might be saying. This sounds pretty complex. Can we start with the basics?

You bet.

What Are Keys and Secrets?

The basis of encryption is scrambling and unscrambling. Keys do the scrambling and unscrambling, and secrets keep your keys safe and working properly.

A key is a string of bits that scramble and unscramble data. Just like a physical key can lock and unlock a door, encryption keys lock and unlock data to make it unreadable or readable. Some information can be accessed with only one key. Other keys work in pairs, with one key dedicated to the scrambling task and the other to the unscrambling task.

Secrets are pieces of keys. That is, they work together in a variety of ways to secure your data. Secrets combine to create encryption keys, allow servers to double-check and verify that a key is up to date, and verify that requests for access to your data are from authorized key holders.

A Strong Chain: Keys, Tenant Secrets, and Primary Secrets

Keys and secrets work together to provide layers of security. Think of what makes safety deposit boxes so secure. You have one of the keys that opens your deposit box, but first you have to get inside the bank vault. To do that, you have to go through some additional layers of security. For example, you have to show your ID to a bank teller, who needs to confirm your signature, and then wait for guards to unlock the vault.

Tenant secrets and primary secrets are keys for keys, or that extra layer of protection like the bank teller and vault guard. If hackers get your key, they also must navigate the secret decryption process controlled by the primary and tenant secrets before they can use your key.

And we make it exceptionally difficult for anyone to access these secrets.

Salesforce generates a new primary secret three times a year, with each release. Here’s how secret this secret is: it’s created with a dedicated network appliance called a hardware security module (HSM) specially designed for creating strong and secure cryptographic keys. The HSM is located in a super-secure area, and is only used during a High Assurance Virtual Ceremony, or HAVC. This is a special controlled meeting among several Salesforce cryptographic officers. During the HAVC, the cryptographic officers use the HSM to generate a new primary secret, which is stored in a secure area of our servers.

When you create your own tenant secret on demand in Salesforce, we store it securely in the database. Your tenant secret partners with the primary secret in what’s called a key derivation function to create the keys that encrypt and decrypt your data.

We update the primary secret once per release, but you can update your tenant secrets much more frequently. (More about that in the next unit.)

Enable Shield Platform Encryption

Salesforce offers you two ways to encrypt data. Classic encryption is included in the base price of your Salesforce license. With classic encryption, you can protect a special type of custom text field that you create for data you want to encrypt. The custom field is protected with industry-standard 128-bit Advanced Encryption Standard (AES) keys.

Shield Platform Encryption is available for free in Developer Edition orgs. All other editions require you to purchase a license. With Shield Platform Encryption, you can encrypt all kinds of confidential and sensitive data at rest on the Salesforce Platform. “At rest” means any data that’s inactive or stored in files, spreadsheets, standard and custom fields, and even databases and data warehouses. The data is encrypted with a stronger 256-bit AES key, and subscribers can manage access to their data with a wider range of keys and permissions. Shield Platform Encryption even allows you to search for encrypted data in databases.

Shield Platform Encryption gives customers an encryption advantage because it allows you to prove compliance with regulatory and industry requirements and show that you meet contractual obligations for securing private data in the cloud.

Turning on Shield Platform Encryption is as easy as 1-2-3.

  1. Provision your license. Contact Salesforce to get one. (Shield Platform Encryption is automatically available in Developer Edition orgs.)
  2. Assign permissions. To enable Shield Platform Encryption, you need the Customize Application and Manage Encryption Keys permissions. After you enable encryption, you can give others permission to complete administration tasks on the Encryption Policy page. However, you likely don’t want everyone managing encryption keys. Assign permissions with scenarios from the table below in mind. For example, as an admin, assign yourself the View Setup and Configuration permission. This lets you enable encryption features for fields, files, attachments, and apps.
  3. Enable Shield Platform Encryption for your org. When you have your license and permissions set up, you can enable Shield Platform Encryption on your orgs. You then create org-specific tenant secrets and customize your encryption settings for each org.

Manage Encryption Keys

Customize Application

View Setup and Configuration

Manage Certificates

View Platform Encryption Setup pages

Edit Encryption Policy page settings


Generate, destroy, export, import, and upload tenant secrets and customer-supplied key material

Query the TenantSecret object via the API

Edit, upload, and download HSM-protected certificates with the Shield Platform Encryption Bring Your Own Key service

Enable features on the Advanced Settings page

(for BYOK features)

In the next unit, we get into the details of which data you can encrypt. But first, ready for a review?


Keep learning for
Sign up for an account to continue.
What’s in it for you?
  • Get personalized recommendations for your career goals
  • Practice your skills with hands-on challenges and quizzes
  • Track and share your progress with employers
  • Connect to mentorship and career opportunities