in implementation guides ~ read.
Salesforce Platform Encryption Tipsheet

Salesforce Platform Encryption Tipsheet


First things first !
To download this implementation guide, click the download button below.
If you need more information about the implementation guide, you can read the Table of Contents below.




Encrypt Your Data and Keep Core Functionality

Platform Encryption provides
an extra layer of Salesforce
security while enabling users
to enjoy businesscritical
platform features such as
search workflow and
validation rules

Now you can encrypt data stored throughout Salesforce whether in the Sales Cloud Service Cloud or
even custom apps Encrypt sensitive confidential and private data at rest on the Salesforce Platform to
help meet privacy policies regulatory requirements and contractual obligations for handling private data
Salesforce Platform Encryption sets up in minutes with no additional hardware or software and uses
native strong standardsbased encryption

Shield Platform Encryption Terminology
Encryption has its own specialized vocabulary To get the most out of your Shield Platform Encryption
features its a good idea to familiarize yourself with the key terms such as hardware security module key
rotation and master secret
Data Encryption
The process of applying a cryptographic function to data that results in ciphertext The platform

encryption process uses symmetric key encryption and a bit Advanced Encryption Standard AES

algorithm using CBC mode and a randomized bit initialization vector IV to encrypt fieldlevel

data and files stored on the Salesforce Platform Both data encryption and decryption occur on the
application servers
Data Encryption Keys
Shield Platform Encryption uses data encryption keys to encrypt and decrypt data Data encryption

keys are derived on the Shield Key Management Service KMS using keying material split between a

perrelease master secret and an orgspecific tenant secret stored encrypted in the database The
bit derived keys exist in memory until evicted from the cache
Encrypted Data at Rest
Data that is encrypted when persisted on disk Salesforce supports encryption for fields stored in the
database documents stored in files content libraries and attachments search index files Einstein
Analytics datasets and archived data
Encryption Key Management
Refers to all aspects of key management such as key generation processes and storage Administrators
or users who have the Manage Encryption Keys permission can work with Shield Platform Encryption
key material

Hardware Security Module HSM

Used to provide cryptography processing and key management for authentication Shield Platform
Encryption uses HSMs to generate and store secret material and run the function that derives data
encryption keys used by the encryption service to encrypt and decrypt data

Initialization Vector IV

A random sequence used with a key to encrypt data

Last updated March

Salesforce Platform Encryption

Platform Encryption QA

Shield Key Management Service KMS

Generates wraps unwraps derives and secures key material When deriving key material the Shield

KMS uses a pseudorandom number generator and input such as a password to derive keys Shield

Platform Encryption uses PBKDF Passwordbased Key Derivation Function with HMACSHA

Key Rotation
The process of generating a new tenant secret and archiving the previously active one Active tenant
secrets are used for both encryption and decryption Archived ones are used only for decryption until
all data has been reencrypted using the new active tenant secret

Master HSM

The master HSM consists of a USB device used to generate secure random secrets each Salesforce

release The master HSM is airgapped from Salesforces production network and stored securely in

a bank safety deposit box
Master Secret
Used with the tenant secret and key derivation function to generate a derived data encryption key
customers can opt out of key derivation The master secret is rotated each release by Salesforce and
encrypted using the perrelease master wrapping key which is in turn encrypted with the Shield
KMSs public key so it can be stored encrypted on the file system Only HSMs can decrypt it No Salesforce
employees have access to these keys in cleartext
Master Wrapping Key

A symmetric key is derived and used as a master wrapping key also known as a key wrapping key

encrypting all the perrelease keys and secrets bundle
Tenant Secret
An organizationspecific secret used in conjunction with the master secret and key derivation function
to generate a derived data encryption key When an organization administrator rotates a key a new

tenant secret is generated To access the tenant secret via the API refer to the TenantSecret object

No Salesforce employees have access to these keys in cleartext

Platform Encryption QA

What are the hardware and software requirements for using Platform Encryption
None The crypto functions run natively on the Salesforce platform No custom code is required to
encrypt or decrypt data

Must I encrypt all of my data when using Platform Encryption

No Not all data is sensitive and therefore encryption is not always required Also unnecessarily
encrypting data can affect performance and functionality

When I enable Platform Encryption how are my existing encrypted fields affected

The Platform Encryption process does not affect fields encrypted using Classic Encryption
What encryption algorithm is used with Platform Encryption
The Platform Encryption uses symmetric key encryption and a bit Advanced Encryption Standard

AES algorithm to encrypt fieldlevel data and files stored on the Salesforce platform Both data

encryption and decryption occur on the application servers Encryption is integrated into the Salesforce
application so the application knows when data needs to be encrypted or decrypted Whether youre

accessing data through the user interface or the API encryption and decryption are handled the same


Salesforce Platform Encryption

Platform Encryption QA

Can I access tenant secrets using the API

Yes For example you can use the API to define an automatic process to rotate the Platform Encryption

key regularly For detailed information search for TenantSecret in the Object Reference for Salesforce
and Lightning Platform
Will data encryption keys that are held in memory rotate automatically when Salesforce rotates
the master secret
No While Salesforce rotates the master secret on a perrelease basis customers data encryption keys
are not impacted No new data encryption key is derived automatically

I use Platform Encryption and the Encrypted checkbox is not visible when I create or edit an

existing custom field Why

Only Email Phone Text Text Area Text Area Long and URL custom field types are available for


What happens to existing data if I rotate a tenant secret

When you generate a new tenant secret existing encrypted data remains encrypted and accessible
as long as the old tenant secret is not destroyed New and existing data is encrypted using the new
tenant secret There is no functional difference to the user

How finely can I control what data is encrypted with Platform Encryption

For field data you control exactly which supported standard and custom fields to encrypt For files
and attachments you control whether or not encryption is enabled in your organization

If I enable Platform Encryption is the format for custom phone email and URL fields preserved

Yes formats for custom phone email and URL fields are preserved when they are encrypted

Are the Hardware Security Module HSMs shared by multiple tenants
Yes the Hardware Security Modules HSMs are shared across multiple tenants
Do thirdparty vendors have access to the Hardware Security Module HSMs
No Salesforce controls access to the HSMs exclusively
How long are the tenant secret master secret and data encryption keys
bits in length
Where is my data encryption key stored
The keys are stored only in memory and never persisted on disk
What is the limit for how many keys we can have
There is only a single active key for encrypting data at any time There is no limit for the number of
keys used for decryption
How is my organizationspecific key generated

The data encryption keys are derived by a key derivation function KDF that combines a master secret

with an organizationspecific tenant secret
Where are encryption policies defined
Your organization defines its own policies

Can I reencrypt encrypted data

Yes While this process is not automated you can export and mass update the record IDs for records

that include encrypted fields using an ETL tool such as Data Loader The existing data is then decrypted

with the relevant old keys and reencrypted with the new active one However this process isnt
available for files and attachments
Can a Platform Encryption key be shared across more than one organization
No Encryption keys are specific to an organization and cant be shared with other organizations

Salesforce Platform Encryption

More Information About Platform Encryption

Does encrypting fields files and attachments with Platform Encryption count against my
organizations storage limits
No Encryption and decryption do count against your organizations pertransaction Apex limits but
they are not counted as separate transactions

If I can see encrypted data can Salesforce Support representatives see the data too

Yes if they have access to the object record and field

More Information About Platform Encryption
You dont have to be a security expert to administer a Salesforce organization with Shield Platform
Encryption but you should be an experienced admin with a working knowledge of data security The
Salesforce Platform Encryption white paper httpsfdccoencrypt is a good starting point For even
more information try these resources
For a comprehensive view of how Shield Platform Encryption fits into an overall Salesforce security
policy search for security guide at developersalesforcecom
For detailed instructions and background information on setting up Shield Platform Encryption search
for platform encryption at successsalesforcecom
For troubleshooting help while working with Shield Platform Encryption search for platform
encryption at helpsalesforcecom
For a view of the features other customers have requested and whats coming in future releases
search for encryption at httpssuccesssalesforcecomideaSearch