Skip to main content
Free Agentforce workshops and AI Certifications: Learn more. Terms and conditions apply.

Set Up and Manage Shield Platform Encryption

Learning Objectives

After completing this unit, you’ll be able to:

  • Create a tenant secret.
  • Enable encryption for files, fields, and attachments.
  • Assign permission to generate, rotate, and archive your org’s keys.

Putting Encryption to Practice

Now that we know a bit about what encryption is and why it’s important, we’ll look at how it works in practice.

Let’s tag along with Doc Mosey. He’s starting his own practice! He’s going to be that country doctor he always wanted to be, making house calls and helping families, from treating little Sally’s scrapes to Great Grandpa’s arthritis. But he can’t afford to leave the 21st century behind. He needs to make sure that his patient records and clinic web portals are safe, secure, and compliant with the latest regulatory requirements.

Enter Shield Platform Encryption to provide the safety and trust that's worthy of a small-town doc.

Doc Mosey’s Security Needs

Now that Doc Mosey has his clinic all set up, he needs to make sure that his electronic patient records and online patient portal are ready for action. He’s done his homework and has decided to use Salesforce to meet regulatory requirements for securing access to health records. Roles and profiles help regulate internal access to certain records: Nurses have access to health records and lab results, office assistants can update contact and basic record information, and patients are able to update personal information and print prescriptions online.

But the doctor wants to make doubly sure that his patients’ health information is protected from unauthorized external access. He’s decided to buy a Shield Platform Encryption license to enhance the security of his patients’ protected health information that’s stored in the clinic’s org. This license also lets him assign a wider range of permissions to in-house staff.

Healthcare industry security and compliance

Ready to Get Hands-on with Shield Platform Encryption?

Create a new Trailhead Playground now to follow along and try out the steps in this module. Scroll to the bottom of this page, click the playground name, and then select Create Playground. It typically takes 3–4 minutes for Salesforce to create your Trailhead Playground. You also use the playground when it's time to complete the hands-on challenges. 

Note

Yes, we really mean a brand-new Trailhead playground! If you use an existing org or playground, you can run into problems completing the challenges.

Assign Permissions and Create a Tenant Secret

Assign Permissions

Because Doc Mosey’s going to be busy with patients, he asked you to handle the Shield Platform Encryption setup. Doc Mosey goes through the steps to give you the “Customize Application” and “Manage Encryption Keys” permissions.

  1. From Setup, enter Permission Sets in the Quick Find box, then select Permission Sets.
  2. Click New.
  3. Create a label for the set of permissions, for example, Key Manager. The API name populates with a variation of your chosen label.
  4. Click Save.
  5. In the System section of the Key Manager page, select System Permissions.
  6. Click Edit, and enable the Customize Application and Manage Encryption Keys permissions.
  7. Click Save.
  8. From Setup, enter Users in the Quick Find box, then select Users.
  9. Select the name you want in the User list (in this case, that’s yours).
  10. Scroll down to Permission Set Assignments, and select Edit Assignments.
  11. Select Key Manager, then add it to the Enabled Permission Sets list.
  12. Click Save.

If Doc Mosey wanted to manage tenant secrets himself, he would assign these permissions to himself using the same process.

Generate a Tenant Secret

As we learned in the last unit, tenant secrets are used to derive your encryption keys. They work with the Salesforce-generated primary secret, but your tenant secret is specific to your org. In this way, the data in each of your orgs is encrypted with keys unique to that org.

Before you can start encrypting patient data, you’ll need to create a tenant secret.

  1. From Setup, in the Quick Find box, enter Platform Encryption, and then select Key Management.
  2. In the key management table, select Generate Tenant Secret.Key Management page showing generate secret button

It’s as easy as that. Now you have a tenant secret that the Salesforce key management service can use to create the keys. Those keys encrypt and decrypt the clinic’s data.

Export and Import Tenant Secrets

As a security-minded person, you understand that tenant secrets, like other digital information, need to be backed up. If you or any other authorized org user loses access to encrypted data, you can import a copy of active tenant secrets to regain access to data.

From the Platform Encryption page, click Export to create a local copy of the tenant secret. Your tenant secret is a text file with a long string of unique characters that is encrypted by the Salesforce key management service.

Give this file a meaningful name to remember which tenant secret it includes, and save it in a safe place.

After you have exported it, it is safe to destroy. But if you need it after you have destroyed it, you can import what you exported to regain access to data.

Key Management page showing import key button

In the Key Management Table, click Import. Click Choose File. Choose the file with the correct tenant secret. Then click Save.

Key Hygiene: Management Best Practices

Doc Mosey is fastidiously clean by trade and habit, and he encourages you to regularly update your org’s tenant secret. Just like updating a password, frequently updating tenant secrets reduces the likelihood that malicious third parties can brute-force their way into your org.

Generating a new tenant secret and archiving the old one is called key rotation, because your new tenant secret generates new encryption keys. Your organization’s regulatory bodies and security policies often recommend that you rotate your tenant secrets (and keys) at specific intervals.

Note

You can update key material every 24 hours.

You can update your tenant secret in just a few steps.

  1. From Setup, in the Quick Find box, enter Platform Encryption, and then select Key Management. The Status column in the Key Management view identifies tenant secrets as either Active, Archived, or Destroyed. Key Management page with showing tenant secret type and status
  2. In the Key Management Table, select a key type tab.
  3. To generate a new tenant secret, click Generate Tenant Secret. This action archives the previously active tenant secret of that type.
Note

You can have at most 50 tenant secrets (total of Active and Archived). When you have 50, the Generate Tenant Secret button is unavailable. To add an new tenant secret, you need to export and back up an unused one, and then destroy it.

An archived tenant secret can’t encrypt new data, but the app uses these archived keys to decrypt the data that was previously encrypted with it.

What if you need to encrypt all of your data with the same tenant secret? Not a problem. You can use the Self-Service Background Encryption service to do that yourself.

Encrypt Fields, Files, and Attachments

Now that you have an active tenant secret, you can start encrypting data. Doc Mosey’s asked you to encrypt the parts of patient records that include protected health information, which might include standard fields, like Description and Email, or custom Text fields.

  1. From Setup, in the Quick Find box, enter Platform Encryption, and then select Encryption Settings.
  2. In Advanced Encryption Settings, next to Encrypt Standard Fields, click on Select Fields.
    Advanced Encryption Settings
  1. Click Edit.
    Select fields for encryption
  1. Select the fields you want to encrypt, and click Save.

The automatic validation process checks all your org settings and sends you an email. If any settings block or prevent encryption, you receive instructions for fixing them. No blockers? Super! You’re all set. Field values are encrypted only in records created or updated after encryption is enabled.

Remember, encryption doesn’t take the place of field-level access controls. Encrypted data looks just like unencrypted data from the user’s point of view. Think about those employees in the clinic, such as nurses or lab technicians, who need to view data in those encrypted fields. Assign the appropriate field-level access to those staff members.

Encrypt Files and Attachments

Doc Mosey loves electronic records because he can quickly update patient information in easy-to-access files. When he gets results back from labs or receives patient records from other medical facilities, he wants to encrypt the contents of the files and attach them to the patient records in Salesforce.

You’ve done your homework and know how to help Doc: file and attachment encryption.

  1. From Setup, in the Quick Find box, enter Platform Encryption, and then select Encryption Settings.
  2. In the Encryption Policy section, click toggle (enable) next to Encrypt Files and Attachments.
    Encrypt Files and Attachments option.
  3. Click Save.

Now you, Doc Mosey, and anyone else with the Customize Application permission can encrypt supported file types and even attachments. For example, if Mr. Smith brought in test results from his cardiologist, Doc could upload that file to Mr. Smith’s patient record and encrypt it.

As with encrypted fields, encryption for files and attachments affects only files and attachments created after encryption is enabled. Enabling encryption doesn’t automatically encrypt files and attachments that were already in Salesforce. But you can use the Encryption Statistics and Data Sync page to encrypt existing files.

Way to go! You’ve done Doc proud, and the clinic’s patients can sleep well knowing that their information is safe and secure.

Ready for the next challenge? Before you dive in, we recommend that you create a new Developer Edition org. Shield Platform Encryption can interfere with some features that you need to access and for other challenges. In the next unit, we learn more about how Shield Platform Encryption can affect other Salesforce services and apps.

Resources

Note

Remember, this module is meant for Lightning Experience. When you launch your hands-on org, switch to Lightning Experience to complete this challenge.

Comparta sus comentarios sobre Trailhead en la Ayuda de Salesforce.

Nos encantaría conocer su experiencia con Trailhead. Ahora puede acceder al nuevo formulario de comentarios cuando quiera desde el sitio de la Ayuda de Salesforce.

Más información Continuar para compartir comentarios