PlatformEncryptionSettings

Represents an org’s Platform Encryption settings, such as settings for available encryption schemes, permissions, encryption policy access, and which fields can be encrypted. This type extends the Metadata metadata type and inherits its fullName field.

In the package manifest, all organization settings metadata types are accessed using the Settings name. See Settings for details.

File Suffix and Directory Location

PlatformEncryptionSettings values are stored in the PlatformEncryption.settings file in the settings folder. The .settings files are different from other named components because there’s only one settings file for each settings component.

Version

PlatformEncryptionSettings is available in API versions 47.0 and later.

Special Access Rules

To enable and disable PlatformEncryptionSettings attributes, you need the Customize Application permission. Attributes that allow key management tasks require the Manage Encryption Keys permission. For a complete list of required permissions, read Which User Permissions Does Shield Platform Encryption Require?.

Fields

Field Name Field Type Description
canEncryptManagedPackageFields boolean Indicates whether users can enable encryption on custom fields in installed managed packages (true) or not (false).
isUseHighAssuranceKeysRequired boolean This field is for internal use.
isMEKForEncryptionRequired boolean Indicates whether encryption policy tasks, such as enabling encryption on fields, also require the Manage Encryption Keys permission (true) or not (false), in addition to those tasks’ baseline permissions.
enableDeterministEncryption boolean Indicates whether customers apply the deterministic encryption scheme to supported fields (true) or not (false). The deterministic encryption scheme lets customers filter on encrypted data..
enableEncryptFieldHistory boolean Indicates whether the background encryption process applies the customer's active key material to field history and feed tracking values (true) or not (false). The default value is false. If false, background encryption processes apply active key material to all encrypted data except duplicates of that data stored in field history or feed tracking.
enableEventBusEncryption boolean This field is for internal use.

Declarative Metadata Sample Definition

The following is an example of the PlatformEncryption.settings file:
<?xml version="1.0" encoding="UTF-8"  standalone="yes"?>
<PlatformEncryptionSettings xmlns="http://soap.sforce.com/2006/04/metadata">
    <canEncryptManagedPackageFields>true</canEncryptManagedPackageFields>
    <isUseHighAssuranceKeysRequired>true</isUseHighAssuranceKeysRequired>
    <isMEKForEncryptionRequired>true</isMEKForEncryptionRequired>
    <enableDeterministEncryption>true</enableDeterministEncryption>
    <enableEncryptFieldHistory>true</enableEncryptFieldHistory></PlatformEncryptionSettings>

Example Package Manifest

The following is an example package manifest used to deploy or retrieve the Platform Encryption settings metadata for an organization:
<?xml version="1.0" encoding="UTF-8"?>
<Package xmlns="http://soap.sforce.com/2006/04/metadata">
    <types>
        <members>PlatformEncryption</members>
        <name>Settings</name>
    </types>
    <version>47.0</version>
</Package>

Wildcard Support in the Manifest File

The wildcard character * (asterisk) in the package.xml manifest file doesn’t apply to metadata types for feature settings. The wildcard applies only when retrieving all settings, not for an individual setting. For details, see Settings. For information about using the manifest file, see Deploying and Retrieving Metadata with the Zip File.