Shield Platform
Encryption Best Practices
Encrypt
only where necessary:
1] Not all data is sensitive. Focus on information
that requires encryption to meet your regulatory, security, compliance, and
privacy requirements. Unnecessarily encrypting data impacts functionality and
performance.
2] Evaluate your data classification scheme early and
work with stakeholders in security, compliance, and business IT departments to
define requirements
Create a
strategy early for backing up and archiving keys and data
If your tenant secrets are destroyed, reimport them to
access your data. You are solely responsible for making sure that your data and
tenant secrets are backed up and stored in a safe place. Salesforce cannot help
you with deleted, destroyed, or misplaced tenant secrets.
Before enabling encryption, fix any violations that
you uncover. For example, if you reference encrypted fields in a SOQL ORDER BY
clause, a violation occurs. Fix the violation by removing references to the
encrypted fields
Currency and Number fields can’t be encrypted because
they could have broad functional consequences across the platform, such as
disruptions to roll-up summary reports, report timeframes, and calculations
When you generate a new tenant secret, any new data is
encrypted using this key. However, existing sensitive data remains encrypted
using previous keys. In this situation, Salesforce strongly recommends
re-encrypting these fields using the latest key. Contact Salesforce for help
with re-encrypting your data.
General Shield
Platform Encryption Considerations
You can’t use encrypted custom fields in
criteria-based sharing rules.
Some custom fields can’t be encrypted.
Fields that have the Unique or External ID attributes
or include these attributes on previously encrypted custom fields (applies only
to fields that use the probabilistic encryption scheme)
Fields on external data objects
Fields that are used in an account contact relation
You can’t use Shield Platform Encryption with Custom
Metadata Types.
If a portal is enabled in your organization, you can’t
encrypt standard fields. Deactivate all customer portals and partner portals to
enable encryption on standard fields. (Communities are supported.)
When Person Accounts are turned on, encrypting any of
the following Account fields encrypts the equivalent Contact fields, and vice
versa.
Name
Description
Phone
Fax
When you encrypt any of the following Account or
Contact fields, the equivalent fields in Person Accounts are also encrypted.
Name
Description
Mailing Address
Phone
Fax
Mobile
Home Phone
Other Phone
Email
When the Account Name or Contact Name field is
encrypted, searching for duplicate accounts or contacts to merge doesn’t return
any results
Bounce handling doesn’t support encrypted email
addresses. If you need email bounce handling, don't encrypt the standard Email
field.
You can’t sort records in list views by fields that
contain encrypted data.
Encrypted fields can’t be used in:
Criteria-based sharing rules
Similar opportunities searches
External lookup relationships
Filter criteria for data management
tools
Considerations for Using Deterministic Encryption
Compound Fields
So, if the First Name and Last Name fields are
encrypted in the Contacts object, this query doesn’t work:
Select Id from Contact Where Name = 'William Jones'
But this query does work:
Select Id from Contact Where FirstName = 'William’ And
LastName ='Jones'
You can use most of the SOQL statements with
deterministic encryption. One exception is GROUP BY, which isn’t supported,
even though you can group report results by row or column.
Deterministic encryption only supports exact,
case-sensitive matches. Comparison operators that return partial matches aren’t
supported. For example, LIKE and STARTS WITH statements aren’t supported.
Because deterministic encryption doesn’t maintain the
sort order of encrypted data in the database, ORDER BY isn’t supported.
Field Limits with Shield Platform Encryption
Case Comment Object
The Body field on the Case Comment object has a limit
of 4,000 ASCII characters (or 4,000 bytes). However, when these fields are
encrypted, the character limit is lower. How much lower depends on the kind of
characters you enter.
ASCII: 2959
Chinese, Japanese, Korean: 1333
Other non-ASCII: 1479
Which Salesforce Apps Don’t Support Shield Platform
Encryption?
These apps don’t support data encrypted with Shield
Platform Encryption. However, you can enable Shield Platform Encryption for
other apps when these apps are in use.
Connect Offline
Commerce Cloud (Salesforce B2B Commerce version 4.10
and later is supported)
Data.com
Einstein Engine
Heroku (but Heroku Connect does support encrypted
data)
Marketing Cloud (but Marketing Cloud Connect does
support encrypted data)
Salesforce CPQ
Salesforce IQ
Social Customer Service
Thunder
Quip
Salesforce Billing
Legacy portals (customer, self-service, and partner)
don’t support data encrypted with Shield Platform Encryption. If legacy portals
are active, Shield Platform Encryption can’t be enabled.
