Salesforce Shield Platform Encryption is a robust data protection tool that enables the encryption of sensitive data within Salesforce. It ensures that your critical data, whether at rest or in transit, is encrypted and protected against unauthorized access. For organizations with heightened security needs, Shield Platform Encryption offers a deeper level of encryption and control over sensitive data compared to traditional encryption methods in Salesforce.
This article will explore how Shield Platform Encryption works, including its core concepts, features, and key differences from other encryption mechanisms, with practical insights for intermediate to advanced developers.
What is Salesforce Shield Platform Encryption?
Salesforce Shield Platform Encryption is an enterprise-grade security feature designed to encrypt sensitive data stored in Salesforce. It is an enhancement over Classic Encryption, which offers limited functionality. Shield Platform Encryption provides comprehensive encryption coverage, allowing customers to encrypt almost all Salesforce data at rest, including both standard and custom fields.
Key features of Salesforce Shield Platform Encryption include:
- Customer-Controlled Encryption Keys: You control the encryption keys, including the option to create, manage, and rotate them as needed.
- Master Secret: Salesforce manages a master secret that assists in the encryption process, ensuring the security and integrity of the data.
- End-to-End Encryption: Data is encrypted when stored (at rest) and can only be decrypted by authorized users or processes.
- Encrypted Standard and Custom Fields: You can encrypt both standard Salesforce fields and custom fields, offering comprehensive encryption coverage for your entire Salesforce org.
How Encryption Works in Salesforce Shield
Salesforce Shield Platform Encryption uses a combination of two encryption secrets:
- Tenant Secret: This secret is unique to your Salesforce org and is controlled by you (the customer).
- Master Secret: Managed by Salesforce, this secret is used in conjunction with the tenant secret to generate a unique encryption key for your org.
The encryption key generated from the tenant and master secrets is used to encrypt and decrypt sensitive data. This dual-key approach ensures that the encryption process remains secure, as the keys are never shared between Salesforce organizations.
Encryption Key Flow:
- Key Generation: Salesforce generates the encryption key using a combination of the tenant secret and Salesforce’s master secret.
- Data Encryption: Data is encrypted using the generated encryption key before being stored in Salesforce’s databases.
- Decryption: When authorized users access the encrypted data, the data is decrypted using the same encryption key.
This architecture ensures that even if an attacker gains access to the database, the encrypted data remains unreadable without the decryption keys.
Key Features of Salesforce Shield Platform Encryption
1. Data Encryption at Rest
Shield Platform Encryption ensures that sensitive data is encrypted while at rest, meaning when it is stored in Salesforce databases. This is a critical feature for organizations looking to comply with regulatory requirements such as GDPR, HIPAA, or financial regulations.
By default, all encrypted fields in Salesforce, including both standard and custom fields, are protected against unauthorized access. Salesforce applies encryption at the storage level, so even if unauthorized access to the storage occurs, the data remains unreadable without the decryption key.
2. Encryption Key Management
One of the most significant features of Shield Platform Encryption is the ability to manage your own encryption keys. With encryption keys controlled by customers, you have the flexibility to rotate, revoke, or refresh keys as necessary.
- Encryption Key Rotation: Salesforce provides an option to rotate encryption keys periodically. This ensures that even if a key is compromised, only data encrypted using the previous key is at risk.
- Custom Key: You can also supply your own final data encryption key, offering additional control over encryption key management.
3. Compliance and Security
Shield Platform Encryption is often required for organizations that must meet compliance requirements such as:
- PCI-DSS (Payment Card Industry Data Security Standard)
- GDPR (General Data Protection Regulation)
- HIPAA (Health Insurance Portability and Accountability Act)
Using Shield Platform Encryption can help your organization meet legal and contractual obligations while ensuring sensitive customer data is encrypted according to industry best practices.
Classic Encryption vs. Shield Platform Encryption
Salesforce offers different encryption options, each with its strengths and use cases. Below is a comparison between Classic Encryption and Shield Platform Encryption.
| Feature | Classic Encryption | Shield Platform Encryption |
|---|---|---|
| Pricing | Included in base user license | Additional fee applies |
| Encryption at Rest | Yes | Yes |
| Encryption Algorithm | 128-bit AES | 256-bit AES |
| Masking | Yes | No |
| Encrypted Standard Fields | No | Yes |
| Encrypted Custom Fields | Limited (175 characters) | Unlimited (custom fields supported) |
| Manage Encryption Keys Permission | No | Yes |
Key Differences:
- Encryption Algorithm: Classic Encryption uses a 128-bit AES algorithm, while Shield Platform Encryption uses a more secure 256-bit AES algorithm.
- Custom Fields: Shield Platform Encryption allows encryption of unlimited custom fields, while Classic Encryption is limited in the number of characters it can encrypt in custom fields (175 characters).
- Encryption Key Control: Shield Platform Encryption gives customers the ability to manage their encryption keys, whereas Classic Encryption does not.
- Field Encryption: In Shield Platform Encryption, both standard and custom fields can be encrypted, while Classic Encryption only supports a limited set of fields.
Shield Platform Encryption Process Flow
To understand how Shield Platform Encryption works behind the scenes, let’s take a look at the typical encryption and decryption flow:
Encryption Process:
- User Input: The user enters sensitive data into a field (e.g., a credit card number or Social Security Number).
- Encryption Key Generation: Salesforce generates an encryption key using a combination of your tenant secret and the Salesforce master secret.
- Data Encryption: The data entered by the user is encrypted using the generated key before being stored in the Salesforce database.
- Storage: The encrypted data is stored in Salesforce's underlying infrastructure.
Decryption Process:
- Data Retrieval: When an authorized user requests access to the encrypted data, Salesforce retrieves the encrypted data from storage.
- Key Retrieval: Salesforce uses the encryption key to decrypt the data. The key is matched to the tenant secret and master secret combination.
- Data Decryption: The encrypted data is decrypted and made available to the authorized user.
Practical Example: Implementing Shield Platform Encryption
Let's look at a basic example where Shield Platform Encryption is used to encrypt a custom field on an Account record:
1. Create Custom Encrypted Field
You can create a custom encrypted field directly in the Salesforce UI:
- Go to Object Manager > Account > Fields & Relationships.
- Create a new field of type Text and mark it as Encrypted.
- The field will now be encrypted at rest and protected by Shield Platform Encryption.
2. Manage Encryption Keys
If you want to use your custom encryption keys:
- Navigate to Setup > Shield Platform Encryption > Key Management.
- Select the option to Create a new key and manage the lifecycle of your keys.
3. Encrypt Data in Apex
You can use Apex code to programmatically encrypt and decrypt data, ensuring that sensitive data entered via API or custom logic is encrypted using the Shield Platform Encryption.
Account acc = new Account(Name = 'Secure Account');
acc.Encrypted_Field__c = 'Sensitive Data';
insert acc;
In this case, the Encrypted_Field__c will be encrypted automatically when the record is saved.
Conclusion
Salesforce Shield Platform Encryption provides advanced security capabilities for protecting sensitive data within Salesforce. It offers end-to-end encryption with customer-controlled keys, support for encryption at rest, and compliance with industry standards. By understanding how Shield Platform Encryption works and implementing it in your Salesforce environment, you can ensure that your sensitive data is secure, comply with legal requirements, and provide peace of mind to your organization and users.
With its key features, including flexible key management, custom field encryption, and robust compliance options, Shield Platform Encryption is an essential tool for organizations with high data security needs. Whether you are storing customer personal data, financial information, or other sensitive content, Salesforce Shield Platform Encryption is a powerful and effective way to protect your data at every level.