Set Up and Manage Shield Platform Encryption

Learning Objectives

After completing this unit, you’ll be able to:
  • Create a tenant secret.
  • Enable encryption for files, fields, and attachments.
  • Assign permission to generate, rotate, and archive your org’s keys.

Putting Encryption to Practice

Now that we know a bit about what encryption is and why it’s important, we’ll look at how it works in practice.

Let’s tag along with Doc Mosey. He’s starting his own practice! He’s going to be that country doctor he always wanted to be, making house calls and helping families, from treating little Sally’s scrapes to Great Grandpa’s arthritis. But he can’t afford to leave the 21st century behind. He needs to make sure that his patient records and clinic web portals are safe, secure, and compliant with the latest regulatory requirements.

Enter Shield Platform Encryption to provide the safety and trust that's worthy of a small-town doc.

Doc Mosey’s Security Needs

Now that Doc Mosey has his clinic all set up, he needs to make sure that his electronic patient records and online patient portal are ready for action. He’s done his homework and has decided to use Salesforce to meet regulatory requirements for securing access to health records. Roles and profiles help regulate internal access to certain records: Nurses have access to health records and lab results, office assistants can update contact and basic record information, and patients are able to update personal information and print prescriptions online.

But the doctor wants to make doubly sure that his patients’ health information is protected from unauthorized external access. He’s decided to buy a Shield Platform Encryption license to enhance the security of his patients’ protected health information that’s stored in the clinic’s org. This license also lets him assign a wider range of permissions to in-house staff.

Healthcare industry security and compliance

Assign Permissions and Create a Tenant Secret

Assign Permissions

Because Doc Mosey’s going to be busy with patients, he asked you to handle the Shield Platform Encryption setup. Doc Mosey goes through the steps to give you the “Customize Application” and “Manage Encryption Keys” permissions.

  1. From Setup, enter Permission Sets in the Quick Find box, then select Permission Sets.
  2. Click New.
  3. Create a label for the set of permissions, for example, Key Manager. The API name populates with a variation of your chosen label.
  4. Click Save.
  5. In the System section of the Key Manager page, select System Permissions.
  6. Click Edit, and enable the Customize Application and Manage Encryption Keys permissions.
  7. Click Save.
  8. From Setup, enter Users in the Quick Find box, then select Users.
  9. Select the name you want in the User list (in this case, that’s yours).
  10. Scroll down to Permission Set Assignments, and select Edit Assignments.
  11. Select Key Manager, then add it to the Enabled Permission Sets list.
  12. Click Save.

If Doc Mosey wanted to manage tenant secrets himself, he would assign these permissions to himself using the same process.

Generate a Tenant Secret

As we learned in the last unit, tenant secrets are used to derive your encryption keys. They work with the Salesforce-generated master secret, but your tenant secret is specific to your org. In this way, the data in each of your orgs is encrypted with keys unique to that org.

Before you can start encrypting patient data, you’ll need to create a tenant secret.

  1. From Setup, in the Quick Find box, enter Platform Encryption, and then select Key Management.
  2. Select Data in Salesforce from the Choose Tenant Secret Type list. Tenant secret types allow you to specify which kind of data you want to encrypt with a tenant secret. We’ll start by encrypting data in the core Salesforce database for now.
  3. Select Generate Tenant Secret.
Generate a tenant secret

It’s as easy as that. Now you have a tenant secret that the Salesforce key management service can use to create the keys. Those keys encrypt and decrypt the clinic’s data.

Export and Import Tenant Secrets

As a security-minded person, you understand that tenant secrets, like other digital information, need to be backed up. If you or any other authorized org user loses access to encrypted data, you can import a copy of active tenant secrets to regain access to data.

From the Platform Encryption page, click Export to create a local copy of the tenant secret. Your tenant secret is a text file with a long string of unique characters that is encrypted by the Salesforce key management service.

Give this file a meaningful name to remember which tenant secret it includes, and save it in a safe place.

If you need to import this secret to regain access to data, select Import > Choose File. Choose the file with the correct tenant secret.

Key Hygiene: Management Best Practices

Doc Mosey is fastidiously clean by trade and habit, and he encourages you to regularly update your org’s tenant secret. Just like updating a password, frequently updating tenant secrets reduces the likelihood that malicious third parties can brute-force their way into your org.

Generating a new tenant secret and archiving the old one is called key rotation, because your new tenant secret generates new encryption keys. Your organization’s regulatory bodies and security policies often recommend that you rotate your tenant secrets (and keys) at specific intervals.

You can update your tenant secret in just a few steps.

  1. From Setup, in the Quick Find box, enter Platform Encryption, and then select Key Management.The Status column in the Key Management view identifies tenant secrets as either Active, Archived, or Destroyed. Key Management page with showing tenant secret type and status
  2. Select a tenant secret type from the list.
  3. To generate a new tenant secret, click Generate Tenant Secret. This action archives the previously active tenant secret of that type.

Archived tenant secrets can’t encrypt new data, but the app uses these archived keys to decrypt the data that was previously encrypted with it.

What if you need to encrypt all of your data with the same tenant secret? No sweat. Contact Salesforce for help applying an active tenant secret to all your encrypted data. We’ll make sure that everything—all your encrypted fields, files, and attachments—gets updated properly.

Encrypt Fields, Files, and Attachments

Now that you have an active tenant secret, you can start encrypting data. Doc Mosey’s asked you to encrypt the parts of patient records that include protected health information, which might include standard fields, like Description and Email, or custom Text fields.
  1. From Setup, in the Quick Find box, enter Platform Encryption, and then select Encryption Policy.
  2. Select Encrypt Fields.
  3. Click Edit.
  4. Select the fields you want to encrypt, and click Save.
Select fields for encryption

The automatic validation process checks all your org settings and sends you an email. If any settings block or prevent encryption, you receive instructions for fixing them. No blockers? Super! You’re all set. Field values are encrypted only in records created or updated after encryption is enabled.

Remember, encryption doesn’t take the place of field-level access controls. Encrypted data looks just like unencrypted data from the user’s point of view. Think about those employees in the clinic, such as nurses or lab technicians, who need to view data in those encrypted fields. Assign the appropriate field-level access to those staff members.

Encrypt Files and Attachments

Doc Mosey loves electronic records because he can quickly update patient information in easy-to-access files. When he gets results back from labs or receives patient records from other medical facilities, he wants to encrypt the contents of the files and attach them to the patient records in Salesforce.

You’ve done your homework and know how to help Doc: file and attachment encryption.
  1. From Setup, in the Quick Find box, enter Platform Encryption, and then select Encryption Policy.
  2. Select Encrypt Files and Attachments.
  3. Click Save.

Now you, Doc Mosey, and anyone else with the Customize Application permission can encrypt supported file types and even attachments. For example, if Mr. Smith brought in test results from his cardiologist, Doc could upload that file to Mr. Smith’s patient record and encrypt it.

As with encrypted fields, encryption for files and attachments affects only files and attachments created after encryption is enabled. Enabling encryption doesn’t automatically encrypt files and attachments that were already in Salesforce. To encrypt all those files that lived in Doc’s org before you enabled Shield Platform Encryption, contact Salesforce for help.

Way to go! You’ve done Doc proud, and the clinic’s patients can sleep well knowing that their information is safe and secure.

Ready for the next challenge? Before you dive in, we recommend that you create a new Developer Edition org. Shield Platform Encryption can interfere with some features that you need to access and for other challenges. In the next unit, we learn more about how Shield Platform Encryption can affect other Salesforce services and apps.


Video: Tighten Your Security with Salesforce Shield Platform Encryption

Set up Shield Platform Encryption

Manage Permission Set Assignments

Which Fields Can I Encrypt?

Encrypt Files and Attachments



Remember, this module is meant for Salesforce Classic. When you launch your hands-on org, switch to Salesforce Classic to complete this challenge.

Keep learning for
Sign up for an account to continue.
What’s in it for you?
  • Get personalized recommendations for your career goals
  • Practice your skills with hands-on challenges and quizzes
  • Track and share your progress with employers
  • Connect to mentorship and career opportunities