Encrypt Data with the Deterministic Encryption Scheme

Generate key material specific to data encrypted with deterministic encryption schemes. You can apply either case-sensitive deterministic encryption or case-insensitive deterministic encryption schemes to your data, depending on the kind of filtering that you want to perform. When you apply a deterministic encryption scheme to a field or change between deterministic encryption schemes, synchronize your data. Syncing data makes sure that your filters and queries produce accurate results.

User Permissions Needed
To generate, destroy, export, import, and upload tenant secrets and customer-supplied key material: Manage Encryption Keys
To enable Deterministic Encryption: Customize Application
  1. If you don’t already have an active Fields and Files (Probabilistic) tenant secret, generate one.
    • From Setup, in the Quick Find box, enter Encryption Settings, and then select Encryption Settings. Turn on Generate Initial Probabilistic Tenant Secret. This path is the fastest because you can stay on the Encryption Settings page to generate your deterministic tenant secret.
    • Optionally, generate this tenant secret on the Key Management page. From Setup, in the Quick Find box, enter Key Management, and then select Key Management. In the Key Management Table, select Fields and Files (Probabilistic). Then generate or upload a tenant secret.
  2. From Setup, in the Quick Find box, enter Encryption Settings, and then select Encryption Settings.
  3. In the Advanced Encryption Settings section, turn on Generate Initial Deterministic Tenant Secret.
    You can also enable deterministic encryption programmatically. For more information, see PlatformEncryptionSettings in the Metadata API Developer Guide.
  4. Enable encryption for each field, and choose a deterministic encryption scheme. How you do that depends on whether it’s a standard field or a custom field.
    • For standard fields, from Setup, select Encryption Settings. In the Advanced Encryption Settings section, click Select Fields. The Encrypt Standard Fields page opens. For each field that you want to encrypt, select the field name, and then choose either Deterministic—Case Sensitive or Deterministic—Case Insensitive from the Encryption Scheme list.
      Choose an encryption scheme when you encrypt a standard field.
    • For custom fields, open the Object Manager and edit the field that you want to encrypt. Select Encrypt the contents of this field, and select an encryption scheme.
      Choose an encryption scheme when you encrypt custom fields.
    You can mix and match probabilistic and deterministic encryption, encrypting some fields one way and some fields the other.
    You receive an email notifying you when the enablement process finishes.

    Expect the enablement process to take longer when you apply deterministic encryption to a field with a large number of records. To support filtering, the enablement process also rebuilds field indexes.

    Note

  5. When you apply or remove deterministic encryption to a field, it’s possible that existing data in that field doesn’t appear in queries or filters. To apply full deterministic functionality to existing data, synchronize all your data with your active key material from the Encryption Statistics and Data Sync page. For more information, see Synchronize Your Data Encryption with the Background Encryption Service.