Salesforce Security Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data’s Security with Shield Platform Encryption
What You Can Encrypt
Platform Encryption Q&A
How Encryption Works
Set Up Your Encryption Policy
Required Permissions
Generate and Manage Tenant Secrets
Key Material Types
Generate a Tenant Secret with Salesforce
Set Up Field-Level Encryption
Encrypt Files
Encrypt Data in Chatter
Encrypt Data Cloud with Customer-Managed Root Keys
Encrypt Search Index Files with a Tenant Secret
Encrypt Search Index Files with a Root Key
Encrypt CRM Analytics Data
Encrypt Event Bus Data
Fix Blockers
Stop Encryption
Filter Encrypted Data with Deterministic Encryption
Key Management and Rotation
Shield Platform Encryption Customizations
Encryption Trade-Offs
Audit and Monitor Your Organization’s Security
Real-Time Event Monitoring
Security Guidelines for Apex and Visualforce Development
API End-of-Life Policy
PDF

Key Material Types

With Shield Platform Encryption, you encrypt data with either tenant secrets or a key pair composed of a root key and a data encryption key (DEK). Each type of key material targets specific data stores within Salesforce. You can apply different key-rotation cycles or key-destruction policies to different keys based on the kinds of data that they encrypt.
Available in both Lightning Experience and Salesforce Classic (not available in all orgs).
Available as an add-on subscription in: Enterprise, Performance, and Unlimited Editions. Requires purchasing Salesforce Shield. Available in Developer Edition at no charge.

This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?

Note

Types of Tenant Secrets

Tenant secrets are categorized according to the kind of data that they encrypt.

Fields and Files (Probabilistic)
Encrypts data using the probabilistic encryption scheme, including data in fields, attachments, and files other than search index files
Field (Deterministic)
Encrypts field data by using the deterministic encryption scheme
Search Index
Encrypts fields and other data governed by your encryption policy stored in search indexes. Available in orgs that don’t yet use the updated search index framework.
Analytics
Encrypts CRM Analytics data
Event Bus
Encrypts event messages that are stored temporarily in the event bus. For change data capture events, this secret encrypts data changes and the corresponding event that contains them. For platform events, this secret encrypts the event message including event field data.

You can have up to 50 active and archived tenant secrets of each type. For example, you can have 1 active and 49 archived Fields and Files (Probabilistic) tenant secrets and the same number of Analytics tenant secrets. This limit includes Salesforce-generated and key material that you supply.

If you run into this limit, destroy an existing key before reactivating, rearchiving, or creating a callout to another one. Before destroying a key, synchronize the data that it encrypts with an active key.

Root Keys and Data Encryption Keys

Some Salesforce data can be encrypted with a root key and data encryption key (DEK) pair.

AWS Root Key
A root key stored in AWS KMS and referenced by Salesforce, it controls the DEK used to encrypt Salesforce data. Available when External Key Management is enabled, and a connection to AWS KMS is configured.
Salesforce Root Key
Controls the DEK used to encrypt data.
Search Index DEK
Controlled by a root key, it encrypts all search indexes. Available in orgs that use the updated search index framework.