Transcription of Salesforce Shield Platform Encryption Implementation Guide
1 Salesforce Shield PlatformEncryption ImplementationGuide @salesforcedocsLast updated: January 7, 2022 Copyright 2000 2022 , inc. All rights reserved. Salesforce is a registered trademark of , inc.,as are other names and marks. Other marks appearing herein may be trademarks of their respective Your Data's Security with Shield Platform Encryption .. 1 What You Can Encrypt.. 2 Which Standard Fields Can I Encrypt?.. 3 Which Custom Fields Can I Encrypt?.. 12 Which Files Are Encrypted?.. 13 What Other Data Elements Can I Encrypt?.. 14 How Encryption Works.. 15 Terminology.. 16 Classic vs Platform Encryption .. 17 Shield Encryption Flow.. 18 Search Index Encryption Flow.. 20 Sandbox.. 21 Why Bring Your Own Key?.. 21 Masked Data.. 22 Deployment.. 23 Set Up Your Encryption Policy.. 24 Required Permissions.. 25 Generate a Tenant Secret with Salesforce .. 26 Manage Tenant Secrets by Type.. 27 Encrypt New Data in Standard Fields.. 28 Encrypt Fields on Custom Objects and Custom Fields.
2 29 Encrypt Files.. 32 Encrypt Data in Chatter.. 33 Encrypt Search Index Files.. 34 Encrypt Tableau CRM Data.. 35 Encrypt Event Bus Data.. 35 Fix Blockers.. 36 Stop Encryption .. 37 Filter Encrypted Data with Deterministic Encryption .. 37 How Deterministic Encryption Supports Filtering.. 38 Encrypt Data with the Deterministic Encryption Scheme.. 39 Key Management and Rotation.. 41 Work with Key Material.. 42 Rotate Keys.. 43 Back Up Your Tenant Secrets.. 44 Get Statistics About Your Encryption Coverage.. 44 Synchronize Your Data Encryption .. 48 Destroy a Key.. 51 Require Multi-Factor Authentication for Key Management.. 51 Bring Your Own Key (BYOK).. 52 Cache-Only Key Service.. 60 Shield Platform Encryption Customizations.. 75 Apply Encryption to Fields Used in Matching Rules.. 76 Retrieve Encrypted Data with Formulas.. 77 Encryption Trade-Offs.. 79 Encryption Best Practices.. 80 General Trade-Offs.. 82 Considerations for Using Deterministic Encryption .
3 87 Lightning Trade-Offs.. 90 Field Limits.. 91 App Trade-Offs.. 92 ContentsSTRENGTHEN YOUR DATA'S SECURITY WITH SHIELDPLATFORM ENCRYPTIONEDITIONSA vailable as an add-onsubscription in: Enterprise,Performance, andUnlimited Editions. Requirespurchasing SalesforceShield. Available inDeveloper Edition at nocharge for orgs created inSummer 15 and in both SalesforceClassic and Platform Encryption gives your data a whole new layer of security while preserving criticalplatform functionality. It enables you to encrypt sensitive data at rest, and not just when transmittedover a network, so your company can confidently comply with privacy policies, regulatoryrequirements, and contractual obligations for handling private : Where possible, we changed noninclusive terms to align with our companyvalue of Equality. We maintained certain terms to avoid any effect on Platform Encryption builds on the data Encryption options that Salesforce offers out of thebox. Data stored in many standard and custom fields and in files and attachments is encryptedusing an advanced HSM-based key derivation system, so it s protected even when other lines ofdefense have been data Encryption key material is never saved or shared across orgs.
4 You can choose to haveSalesforce generate key material for you or upload your own key material. By default, the ShieldKey Management Service derives data Encryption keys on demand from a master secret and yourorg-specific key material, and stores that derived data Encryption key in an encrypted key can also opt out of key derivation on a key-by-key basis, or store your final data Encryption key outside of Salesforce and have theCache-Only Key Service fetch it on demand from a key service that you control. No matter how you choose to manage your keys, ShieldPlatform Encryption secures your key material at every stage of the Encryption can try out Shield Platform Encryption at no charge in Developer Edition orgs. It is available in sandboxes after it has been provisionedfor your production THIS SECTION:What You Can EncryptShield Platform Encryption lets you encrypt a wide variety of standard fields and custom fields. You can also encrypt files andattachments stored in Salesforce , Salesforce search indexes, and more.
5 We continue to make more fields and files available Shield Platform Encryption WorksShield Platform Encryption relies on a unique tenant secret that you control and a master secret that's maintained by Salesforce . Bydefault, we combine these secrets to create your unique data Encryption key. You can also supply your own final data encryptionkey. We use your data Encryption key to encrypt data that your users put into Salesforce , and to decrypt data when your authorizedusers need Up Your Encryption PolicyAn Encryption policy is your plan for encrypting data with Shield Platform Encryption . You can choose how you want to implementit. For example, you can encrypt individual fields and apply different Encryption schemes to those fields. Or you can choose to encryptother data elements such as files and attachments, data in Chatter, or search indexes. Remember that Encryption is not the samething as field-level security or object-level security. Put those controls in place before you implement your Encryption Encrypted Data with Deterministic EncryptionYou can filter data that s protected with Shield Platform Encryption using deterministic Encryption .
6 Your users can filter records inreports and list views, even when the underlying fields are encrypted. You can apply case-sensitive deterministic Encryption orexact-match case-insensitive deterministic Encryption to data on a field-by-field Management and RotationShield Platform Encryption lets you control and rotate the key material used to encrypt your data. You can use Salesforce to generatea tenant secret for you, which is then combined with a per-release master secret to derive a data Encryption key. This derived dataencryption key is then used in encrypt and decrypt functions. You can also use the Bring Your Own Key (BYOK) service to uploadyour own key material, or store key material outside of Salesforce and have the Cache-Only Key Service fetch your key material Platform Encryption CustomizationsSome features and settings require adjustment before they work with encrypted and Limitations of Shield Platform EncryptionA security solution as powerful as Shield Platform Encryption doesn't come without some tradeoffs.
7 When your data is encrypted,some users may see limitations to some functionality, and a few features aren't available at all. Consider the impact on your usersand your overall business solution as you design your Encryption You Can EncryptEDITIONSA vailable as an add-onsubscription in: Enterprise,Performance, andUnlimited Editions. Requirespurchasing SalesforceShield. Available inDeveloper Edition at nocharge for orgs created inSummer 15 and in both SalesforceClassic and Platform Encryption lets you encrypt a wide variety of standard fields and custom fields. Youcan also encrypt files and attachments stored in Salesforce , Salesforce search indexes, and continue to make more fields and files available for THIS SECTION:Which Standard Fields Can I Encrypt?You can encrypt certain fields on standard and custom objects, data in Chatter, and searchindex files. With some exceptions, encrypted fields work normally throughout the Salesforceuser interface, business processes, and Custom Fields Can I Encrypt?
8 You can apply Shield Platform Encryption to the contents of fields that belong to one of thesecustom field Files Are Encrypted?When you enable Shield Platform Encryption for files and attachments, all files and attachmentsthat can be encrypted are encrypted. The body of each file or attachment is encrypted whenit s Other Data Elements Can I Encrypt?In addition to standard and custom field data and files, Shield Platform Encryption supports other Salesforce data. You can encryptTableau CRM data sets, Chatter fields, fields in the Salesforce B2B Commerce managed package, and You Can EncryptStrengthen Your Data's Security with Shield PlatformEncryptionWhich Standard Fields Can I Encrypt?EDITIONSA vailable as an add-onsubscription in: Enterprise,Performance, andUnlimited Editions. Requirespurchasing SalesforceShield. Available inDeveloper Edition at nocharge for orgs created inSummer 15 and in both SalesforceClassic and can encrypt certain fields on standard and custom objects, data in Chatter, and search indexfiles.
9 With some exceptions, encrypted fields work normally throughout the Salesforce user interface,business processes, and you encrypt a field, existing values aren't encrypted immediately. Values are encrypted onlyafter they re touched or after they re synchronized with the latest Encryption policy. Synchronizeexisting data with your policy on the Encryption Statistics page in Standard FieldsYou can encrypt the contents of these standard field you enabled PersonAccounts, certain account andcontact fields are combinedAccount NameAccount SiteAccountsinto one record. In that case,Billing Address (encrypts BillingStreet and Billing City)you can enable Encryption fora different set of Account Address (encryptsShipping Street and ShippingCity)WebsiteAccount NameAccounts with Person AccountsenabledAccount SiteAssistantAssistant PhoneBilling Address (encrypts BillingStreet and Billing City)DescriptionEmailFaxHome PhoneMailing Address (encryptsMailing Street and Mailing City)MobileOther Address (encrypts OtherStreet and Other City)3 Which Standard Fields Can I Encrypt?
10 Strengthen Your Data's Security with Shield PlatformEncryptionNotesFieldsObjectOther PhonePhoneShipping Address (encrypts Shipping Streetand Shipping City)TitleWebsiteSelecting an Activity field encrypts that fieldon standalone events, event seriesDescription (encrypts Event Descriptionand Task Comment)Activity(Lightning Experience), and recurring events( Salesforce Classic).Subject (encrypts Event Subject andTask Subject)Emergency Response Management forPublic Sector standard objects and fields areIdentifierBusiness LicenseSite Address (encrypts Site Street and SiteCity)Business License Applicationavailable to users who have the EmergencyResponse for Public Sector permission Operating NameBusiness ProfileBusiness Tax IdentifierDescriptionCasesSubjectBody (including internal comments)Case CommentsBefore you can apply Encryption to Chatfields, add the Supervisor Transcript BodyBodySupervisor Transcript BodyChat Transcriptfield to the LiveChatTranscript record Point AddressEmail addressContact Point EmailTelephone numberContact Point PhoneAssistantContactsAssistant PhoneDescriptionEmailFaxHome PhoneMailing Address (encrypts Mailing Streetand Mailing City)4 Which Standard Fields Can I Encrypt?
