Skip to main content


Data Encryption in the Salesforce Shield Age

For those of you who are eager to learn why Shield is changing the way we do encryption in Salesforce and are interested in implementing it in your own org, here is a quick summary of what you can expect from this amazing new tool.

Comparing Classic and Platform Encryption

In comparison to Classic encryption; which lets you protect a certain type of custom text field that was created for that purpose; Platform Encryption enables you to encrypt a variety of standard and custom fields as well as all different kinds of files. Furthermore, accounts, contacts, cases, search, workflow, approval processes, and other Salesforce functions are supported by Platform Encryption. Although some AppExchange apps may interact with Shield encryption, it is best practice to investigate how the data is being processed and what information is protected. Salesforce Shield

Diving in to Salesforce Shield

Salesforce Shield helps you to not only encrypt certain fields in the objects cited above, but also encrypt custom field types in the Salesforce data model, such as email, phone, text, text area, text area long and URL. Be warned however, when a custom field has been encrypted you can no longer change its field type or format. In addition, current or previously encrypted custom fields cannot be used in custom formula fields or criteria-based sharing rules.

If you are looking to enable Platform Encryption in your Salesforce org and you already have existing file and field data, these will not be encrypted automatically. An update of all past records in Salesforce will need to be done to trigger the encryption so that data is encrypted at rest[i]. Watch out though, the update will not encrypt existing files. To encrypt existing files, you will have to contact Salesforce.

If you are a little anxious about turning on Platform Encryption, not to worry, Salesforce will automatically check the normal operation of your Salesforce organization and let you know of any risks or impacts. If you are deploying Platform Encryption from one organization to another (Sandbox to Production), the results of the deployment will depend upon whether Platform Encryption is enabled in the target organization. If encryption is disabled, the encrypted field attribute will be ignored.

Salesforce Shield has given companies amazing new abilities in the area of encryption but it is strongly recommended to fully understand and dissect the small print of the Salesforce Security Implementation Guide before enabling it.

[i] Data at rest generally refers to data stored in persistent storage (disk, tape)

Thoughts on “Data Encryption in the Salesforce Shield Age”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Vincent Barrow

More from this Author

Follow Us