Salesforce Security Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data’s Security with Shield Platform Encryption
What You Can Encrypt
Platform Encryption Q&A
How Encryption Works
Set Up Your Encryption Policy
Required Permissions
Generate and Manage Tenant Secrets
Set Up Field-Level Encryption
Encrypt Files
Encrypt Data in Chatter
Encrypt Data Cloud with Customer-Managed Root Keys
Encrypt Search Index Files with a Tenant Secret
Encrypt Search Index Files with a Root Key
Generate a Search Index Data Encryption Key
Encrypt CRM Analytics Data
Encrypt Event Bus Data
Fix Blockers
Stop Encryption
Filter Encrypted Data with Deterministic Encryption
Key Management and Rotation
Shield Platform Encryption Customizations
Encryption Trade-Offs
Audit and Monitor Your Organization’s Security
Real-Time Event Monitoring
Security Guidelines for Apex and Visualforce Development
API End-of-Life Policy
PDF

Encrypt Search Index Files with a Root Key

In orgs that use the updated search index framework, you use a DEK that’s secured by a root key in the search index encryption process. Sometimes you must search for personally identifiable information (PII) or for data that’s encrypted in the database. When you search your org, the results are stored in search index files in plaintext — a potential vulnerability. You can encrypt these search index files with Shield Platform Encryption, adding another layer of security to your data.
Available in both Lightning Experience and Salesforce Classic (not available in all orgs).
Available as an add-on subscription in: Enterprise, Performance, and Unlimited Editions. Requires purchasing Salesforce Shield. Available in Developer Edition at no charge.

User Permissions Needed
To generate, destroy, export, import, upload, and configure Shield Platform Encryption key material: Manage Encryption Keys

With the Spring ‘24 release, we began migrating Hyperforce orgs to a new search index encryption architecture. This architecture, available only for Hyperforce orgs, gives you with the ability to control the root key that generates and encrypts the data encryption key (DEK) for your search indexes. The migration is gradual, so it’s possible that you’re still using the legacy search index encryption. We notify you when your org is using the new architecture.

For orgs that use the updated search index framework, we create the first root key and data encryption key (DEK). Your search indexes are then generated using the new architecture with the new DEK. The old search index tenant secrets are used only until the new search index framework is in place. After your indexes have been reindexed by using the new framework, your old search index tenant secrets are no longer used.

Your search index encryption root key and DEK are both visible on the Key Management page in Setup. The root key that secures a DEK is visible in the Key Management Table. Just like other keys in Salesforce, you can rotate root keys and DEKs for control over your key lifecycle and encryption policy.

Search index DEKs are never stored unwrapped. When needed, they’re unwrapped by the root key and cached for immediate use by the search index service.

  1. From Setup, in the Quick Find box, enter Encryption Settings, and then select Encryption Settings.
  2. In the Encryption Policy section, turn on Encrypt Search Indexes.
    Salesforce begins creating your root key and DEK. You’re notified when the new DEK is ready.
  3. From Setup, in the Quick Find box, enter Platform Encryption, and then select Key Management.
  4. In the Key Management Table, select Search Index.
    Review the page. When the new DEK is Active, your search indexes are being encrypted.