Transcription of Salesforce Shield Platform Encryption Implementation Guide
1 Salesforce Shield PlatformEncryption ImplementationGuide @salesforcedocsLast updated: January 7, 2022 Copyright 2000 2022 , inc. All rights reserved. Salesforce is a registered trademark of , inc.,as are other names and marks. Other marks appearing herein may be trademarks of their respective Your Data's Security with Shield Platform Encryption .. 1 What You Can Encrypt.. 2 Which Standard Fields Can I Encrypt?.. 3 Which Custom Fields Can I Encrypt?.. 12 Which Files Are Encrypted?.. 13 What Other Data Elements Can I Encrypt?
2 14 How Encryption Works.. 15 Terminology.. 16 Classic vs Platform Encryption .. 17 Shield Encryption Flow.. 18 Search Index Encryption Flow.. 20 Sandbox.. 21 Why Bring Your Own Key?.. 21 Masked Data.. 22 Deployment.. 23 Set Up Your Encryption Policy.. 24 Required Permissions.. 25 Generate a Tenant Secret with Salesforce .. 26 Manage Tenant Secrets by Type.. 27 Encrypt New Data in Standard Fields.. 28 Encrypt Fields on Custom Objects and Custom Fields.. 29 Encrypt Files.. 32 Encrypt Data in Chatter.. 33 Encrypt Search Index Files.
3 34 Encrypt Tableau CRM Data.. 35 Encrypt Event Bus Data.. 35 Fix Blockers.. 36 Stop Encryption .. 37 Filter Encrypted Data with Deterministic Encryption .. 37 How Deterministic Encryption Supports Filtering.. 38 Encrypt Data with the Deterministic Encryption Scheme.. 39 Key Management and Rotation.. 41 Work with Key Material.. 42 Rotate Keys.. 43 Back Up Your Tenant Secrets.. 44 Get Statistics About Your Encryption Coverage.. 44 Synchronize Your Data Encryption .. 48 Destroy a Key.. 51 Require Multi-Factor Authentication for Key Management.
4 51 Bring Your Own Key (BYOK).. 52 Cache-Only Key Service.. 60 Shield Platform Encryption Customizations.. 75 Apply Encryption to Fields Used in Matching Rules.. 76 Retrieve Encrypted Data with Formulas.. 77 Encryption Trade-Offs.. 79 Encryption Best Practices.. 80 General Trade-Offs.. 82 Considerations for Using Deterministic Encryption .. 87 Lightning Trade-Offs.. 90 Field Limits.. 91 App Trade-Offs.. 92 ContentsSTRENGTHEN YOUR DATA'S SECURITY WITH SHIELDPLATFORM ENCRYPTIONEDITIONSA vailable as an add-onsubscription in: Enterprise,Performance, andUnlimited Editions.
5 Requirespurchasing SalesforceShield. Available inDeveloper Edition at nocharge for orgs created inSummer 15 and in both SalesforceClassic and Platform Encryption gives your data a whole new layer of security while preserving criticalplatform functionality. It enables you to encrypt sensitive data at rest, and not just when transmittedover a network, so your company can confidently comply with privacy policies, regulatoryrequirements, and contractual obligations for handling private : Where possible, we changed noninclusive terms to align with our companyvalue of Equality.
6 We maintained certain terms to avoid any effect on Platform Encryption builds on the data Encryption options that Salesforce offers out of thebox. Data stored in many standard and custom fields and in files and attachments is encryptedusing an advanced HSM-based key derivation system, so it s protected even when other lines ofdefense have been data Encryption key material is never saved or shared across orgs. You can choose to haveSalesforce generate key material for you or upload your own key material. By default, the ShieldKey Management Service derives data Encryption keys on demand from a master secret and yourorg-specific key material, and stores that derived data Encryption key in an encrypted key can also opt out of key derivation on a key-by-key basis, or store your final data Encryption key outside of Salesforce and have theCache-Only Key Service fetch it on demand from a key service that you control.
7 No matter how you choose to manage your keys, ShieldPlatform Encryption secures your key material at every stage of the Encryption can try out Shield Platform Encryption at no charge in Developer Edition orgs. It is available in sandboxes after it has been provisionedfor your production THIS SECTION:What You Can EncryptShield Platform Encryption lets you encrypt a wide variety of standard fields and custom fields. You can also encrypt files andattachments stored in Salesforce , Salesforce search indexes, and more. We continue to make more fields and files available Shield Platform Encryption WorksShield Platform Encryption relies on a unique tenant secret that you control and a master secret that's maintained by Salesforce .
8 Bydefault, we combine these secrets to create your unique data Encryption key. You can also supply your own final data encryptionkey. We use your data Encryption key to encrypt data that your users put into Salesforce , and to decrypt data when your authorizedusers need Up Your Encryption PolicyAn Encryption policy is your plan for encrypting data with Shield Platform Encryption . You can choose how you want to implementit. For example, you can encrypt individual fields and apply different Encryption schemes to those fields.
9 Or you can choose to encryptother data elements such as files and attachments, data in Chatter, or search indexes. Remember that Encryption is not the samething as field-level security or object-level security. Put those controls in place before you implement your Encryption Encrypted Data with Deterministic EncryptionYou can filter data that s protected with Shield Platform Encryption using deterministic Encryption . Your users can filter records inreports and list views, even when the underlying fields are encrypted. You can apply case-sensitive deterministic Encryption orexact-match case-insensitive deterministic Encryption to data on a field-by-field Management and RotationShield Platform Encryption lets you control and rotate the key material used to encrypt your data.
10 You can use Salesforce to generatea tenant secret for you, which is then combined with a per-release master secret to derive a data Encryption key. This derived dataencryption key is then used in encrypt and decrypt functions. You can also use the Bring Your Own Key (BYOK) service to uploadyour own key material, or store key material outside of Salesforce and have the Cache-Only Key Service fetch your key material Platform Encryption CustomizationsSome features and settings require adjustment before they work with encrypted and Limitations of Shield Platform EncryptionA security solution as powerful as Shield Platform Encryption doesn't come without some tradeoffs.
