Salesforce Shield Encryption is a set of security features offered by Salesforce to help organizations protect their sensitive data within the Salesforce platform.
Salesforce Shield Encryption includes the following components:
- Platform Encryption
- Event Monitoring
- Field Audit Trail
- Transaction Security
This article focused on platform encryption, which allows us to encrypt data at rest. “At rest” means any data that’s inactive or stored in files, spreadsheets, standard and custom fields, and even databases and data warehouses. This helps safeguard sensitive information, such as customer records and financial data.
We can selectively encrypt standard and custom fields, and encryption keys are managed by Salesforce for added security. Shield Platform Encryption gives customers an encryption advantage because it allows you to prove compliance with regulatory and industry requirements and show that you meet contractual obligations for securing private data in the cloud.
How do I enable shield encryption?
- After procuring the required license from salesforce enable the permissions – Customize Application and Manage Encryption Keys permissions.
- Enable Shield Platform Encryption for your org and then create org-specific tenant secrets and customize your encryption settings for each org.
- Generate a Tenant Secret –
- From Setup, in the Quick Find box, enter Platform Encryption, and then select Key Management – Select Generate Tenant Secret. Now we have a tenant secret that the Salesforce key management service can use to create the keys. Those keys encrypt and decrypt the data.
How to Encrypt Fields in Salesforce?
As we have an active tenant secret, can start encrypting data.
- From Setup, in the Quick Find box, enter Platform Encryption, and then select Encryption Policy.
- Select Encrypt Fields. –> Click Edit.
- Select the fields you want to encrypt, and click Save.
The automatic validation process checks all the org settings and sends us an email. If any settings block or prevent encryption, you receive instructions for fixing them. For example if the field being encrypted is used in a formula field/ apex code that would block the field from getting encrypted. That needs to be tackled using different strategies. If no blockers – we can successfully encrypt the field.
In general, implementing Shield encryption in a heavily customized salesforce application is a challenge due to the constraints based on the encryption policy. We will try to explore those consideration in detail in another article. So its always better to have sufficient buffer time before commiting the implementation of shield encryption in any org and advisable to implement /test in a sandbox. Happy Encryptions!!