Shield Platform Encryption for Salesforce
Notes on the advanced encryption tools for Salesforce
What is it?
- Salesforce’s premium product for encrypting some of your data while it’s at rest
- Important Note: Even though the data is encrypted at rest, users of the system will still be able to see the data without any issues if they have access to the fields/records via field-level/record-level security.
- It really is just for at-rest encryption
- Allows you to encrypt certain types of custom fields, standard fields, attachments, files, and content
- Allows for search too
Terminology
- Tenant Secret: Secret key generated for your specific org that it used in conjunction with Salesforce’s overall secret in order to encrypt your data
Misc. Notes
- Shield Platform Encryption uses 256-bit AES
- Shield Platform Encryption (SPE) does in fact cost extra, you have to purchase an additional license for it
- The more fields you include for encryption, the slower your SFDC experience will be, so choose wisely and encrypt only what’s necessary
- SPE works with many packages from the AppExchange; however, it doesn’t work with some. And some packages can even prevent you from enabling SPE. Read through the implementation guide to make sure you know which ones might not be supported
- When you rotate keys, all of your existing data is NOT automatically decrypted and re-encrypted with the new Tenant Secret that you’ve generated. Instead, your old tenant secret is archived and still used to access previous data encrypted with the old key.
- Important Note: You can contact SFDC support and they can help to migrate all files, fields, and attachments are re-encrypted with the new, active Tenant Secret
- After enabling Shield Encryption and choosing your fields, only values in records created or edited after encryption is turned on, it DOES NOT update historical data automatically
- You can contact SFDC support to help with this
- Allows for more robust automation based on the fields that are encrypted