Platform Encryption for Data Cloud allows developers to transparently encrypt their Data Cloud data with customer-managed keys (CMK). This new feature provides better data security by allowing companies to manage their own encryption keys for data at rest, enabling them to better meet compliance regulations. Developers have an easy-to-use interface to create and manage their keys, as well as more visibility over the keys, integration with setup audit trail, email notifications, and integration with Security Center. Platform Encryption for Data Cloud is now generally available in all regions.

Enabling Platform Encryption

A Salesforce Shield bundle or Shield Platform Encryption needs to be purchased in order to use Platform Encryption for Data Cloud.

After you satisfy the prerequisites, you’ll need to make sure that you have permission allowing you to manage the encryption keys. You can create a permission set and find this permission available under System Permissions. After you have the correct permissions assigned to yourself, you will need to navigate to Setup > Security > Platform Encryption > Encryption Settings. You will then need to toggle Manage Data Cloud Keys to on.

Viewing your keys

After you enable Data Cloud Keys, your first key will be generated automatically. You can view this in Setup > Security > Platform Encryption > Key Management. You can generate another root key by clicking the Generate Root Key button. This will archive the existing root key and create a new root key. With the new key, new data going forward will be encrypted. Already existing encrypted data will stay encrypted with its original key.

FAQs

What is the difference between field-level encryption (FLE) and Platform Encryption for Data Cloud?

Field-level encryption means that the data is encrypted at each individual field. Platform Encryption for Data Cloud provides encryption at the data tier.

As an existing Data Cloud customer, will I experience any downtime when I purchase Platform Encryption for Data Cloud?

No, there will be no downtime in terms of accessing data in Data Cloud. There will also not be any performance degradation or latency as a result of enabling this feature.

As an existing Data Cloud customer, will Platform Encryption for Data Cloud encrypt all my existing data or only new data moving forward?

When a customer purchases Platform Encryption for Data Cloud, all data in Data Cloud that is in the data lake will be encrypted. However, when customers rotate the encryption keys, only new data will be encrypted with the new key. Existing data will remain encrypted with the original key.

How will the encrypted data be presented to the end user in the application layer?

The end user will be able to see data in plain text in the UI, assuming they have access to see that data. Encryption prevents outsiders from using your Salesforce data even if they manage to get access to it. It is not a way to hide data from authenticated users. Refer to this help article for further details.

Will Data Cloud sandboxes have encryption available?

Encryption of sandbox data won’t be available at the same time as the GA for production, but will come in a later release. Customers will be able to encrypt data in their sandbox org as they would in their prod org.

Resources

• Help documentation: How Shield Platform Encryption Works
• Help documentation: Platform Encryption for Data Cloud
• Help documentation: Encrypt Data Cloud with Customer-Managed Root Keys
• Trailhead: Get Started with Platform Encryption for Data Cloud

Acknowledgments

A very special thank you to Product Managers Cynthia Huang, Dave Hacker, and Krassimira Iordanova for the abundance of material referenced in this blog.

About the Author

Danielle Larregui is a Senior Developer Advocate at Salesforce focusing on the Data Cloud platform. She enjoys learning about cloud technologies, speaking at and attending tech conferences, and engaging with technical communities. You can follow her on X.