Change Data Capture Developer Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
Change Data Capture
Keep Your External Data Current with Change Data Capture
Change Event Message Structure
Merged Change Events
Other Types of Change Events: Gap and Overflow Events
Subscribe to Change Events
Monitor Change Event Publishing and Delivery Usage
Security Considerations
Required Permissions for Change Event Subscribers
Field-Level Security
Change Events for Encrypted Salesforce Data
Generate an Event Bus Tenant Secret
Enable Encryption of Change Events
Capturing Changes and Encrypting the Event Payload
Change Event Considerations
Standard Object Notes
Change Events for Fields
PDF

Capturing Changes and Encrypting the Event Payload

After capturing record changes, Change Data Capture creates a change event and stores it in the event bus. Because data changes are captured internally on the application servers in decrypted form, they must be encrypted before storing the corresponding change event that contains them. The entire event payload is encrypted using the data encryption key that is based on the Event Bus tenant secret type.

When Shield Platform Encryption is enabled, Change Data Capture encrypts the fields of all Salesforce objects that it tracks. Change Data Capture ignores the object and field selections set up for Shield Platform Encryption. Fields of all objects for which changes are tracked are encrypted before event storage, even objects not selected for Shield Platform Encryption. For example, suppose that only the Mailing Address of contacts is encrypted with Shield Platform Encryption. If data changes occur in accounts and contacts, change events for both accounts and contacts are encrypted.

Delivering Change Events

Before delivering a change event to a subscribed client, the change event payload is decrypted using the data encryption key. The change event is sent over a secure channel using HTTPS and TLS, which ensures that the data is protected and encrypted while in transit. If the encryption key was rotated and a new key is issued, stored events are not re-encrypted but they are decrypted before delivery using the archived key. If a key is destroyed, stored events can't be decrypted and aren't delivered.

Classic Encryption is not supported.

Note