Encrypt Data with the Deterministic Encryption Scheme
Generate key material specific to data encrypted with deterministic encryption schemes.
You can apply either case-sensitive deterministic encryption or case-insensitive deterministic
encryption schemes to your data, depending on the kind of filtering that you want to perform.
When you apply a deterministic encryption scheme to a field or change between deterministic
encryption schemes, synchronize your data. Syncing data makes sure that your filters and queries
produce accurate results.
User Permissions Needed | |
---|---|
To generate, destroy, export, import, and upload tenant secrets and customer-supplied key material: | Manage Encryption Keys |
To enable Deterministic Encryption: | Customize Application |
-
If you don’t already have an active Fields and Files (Probabilistic) tenant secret,
generate one.
- From Setup, in the Quick Find box, enter Encryption Settings, and then select Encryption Settings. Turn on Generate Initial Probabilistic Tenant Secret. This path is the fastest because you can stay on the Encryption Settings page to generate your deterministic tenant secret.
- Optionally, generate this tenant secret on the Key Management page. From Setup, in the Quick Find box, enter Key Management, and then select Key Management. In the Key Management Table, select Fields and Files (Probabilistic). Then generate or upload a tenant secret.
- From Setup, in the Quick Find box, enter Encryption Settings, and then select Encryption Settings.
-
In the Advanced Encryption Settings section, turn on Generate Initial
Deterministic Tenant Secret.
You can also enable deterministic encryption programmatically. For more information, see PlatformEncryptionSettings in the Metadata API Developer Guide.
-
Enable encryption for each field, and choose a deterministic encryption scheme. How you
do that depends on whether it’s a standard field or a custom field.
- For standard fields, from Setup, select Encryption
Settings. In the Advanced Encryption Settings section, click
Select Fields. The Encrypt Standard Fields page opens. For each
field that you want to encrypt, select the field name, and then choose either
Deterministic—Case Sensitive or
Deterministic—Case Insensitive from the Encryption
Scheme list.
- For custom fields, open the Object Manager and edit the field that you want to
encrypt. Select Encrypt the contents of this field, and select an
encryption scheme.
You can mix and match probabilistic and deterministic encryption, encrypting some fields one way and some fields the other.You receive an email notifying you when the enablement process finishes. - For standard fields, from Setup, select Encryption
Settings. In the Advanced Encryption Settings section, click
Select Fields. The Encrypt Standard Fields page opens. For each
field that you want to encrypt, select the field name, and then choose either
Deterministic—Case Sensitive or
Deterministic—Case Insensitive from the Encryption
Scheme list.
- When you apply or remove deterministic encryption to a field, it’s possible that existing data in that field doesn’t appear in queries or filters. To apply full deterministic functionality to existing data, synchronize all your data with your active key material from the Encryption Statistics and Data Sync page. For more information, see Synchronize Your Data Encryption with the Background Encryption Service.