Capturing Changes and Encrypting the Event Payload
When Shield Platform Encryption is enabled, Change Data Capture encrypts the fields of all Salesforce objects that it tracks. Change Data Capture ignores the object and field selections set up for Shield Platform Encryption. Fields of all objects for which changes are tracked are encrypted before event storage, even objects not selected for Shield Platform Encryption. For example, suppose that only the Mailing Address of contacts is encrypted with Shield Platform Encryption. If data changes occur in accounts and contacts, change events for both accounts and contacts are encrypted.
Delivering Change Events
Before delivering a change event to a subscribed client, the change event payload is decrypted using the data encryption key. The change event is sent over a secure channel using HTTPS and TLS, which ensures that the data is protected and encrypted while in transit. If the encryption key was rotated and a new key is issued, stored events are not re-encrypted but they are decrypted before delivery using the archived key. If a key is destroyed, stored events can't be decrypted and aren't delivered.