Master data encryption at rest with comprehensive setup instructions, best practices, implementation lessons learned, and expert guidance on field selection
Reading time: ~20 minutes Last Updated: January 2026
In This Guide
12
In-Depth Sections
Shield Feature
256-bit
AES Encryption
In This Guide
5
FAQs Answered
Shield Feature
BYOK
Key Management
1
What is Shield Platform Encryption?
Quick Answer: Salesforce Shield Platform Encryption is a native security feature that encrypts sensitive data at rest using AES 256-bit encryption. It protects standard and custom fields, files, attachments, and Chatter data while maintaining application functionality like search, Flows, and validation rules.
According to Salesforce official documentation, Shield Platform Encryption is part of the Salesforce Shield suite - a set of security tools that helps administrators and developers build extra levels of trust, compliance, and governance right into business-critical applications.
The Four Components of Salesforce Shield
Salesforce Shield consists of four main components, each addressing different security needs:
Platform Encryption: Encrypts data at rest (when stored in Salesforce data centers) using 256-bit AES encryption
Event Monitoring: Tracks user activity and data access patterns for security analysis
Field Audit Trail: Retains field history data for up to 10 years for compliance requirements
Data Detect: Automatically scans your database to identify sensitive data like credit card numbers, SSNs, and emails
Key Insight: You can purchase the full Shield bundle or individual components based on your regulatory and business requirements. Platform Encryption is often the most sought-after component for organizations with compliance mandates.
Why Platform Encryption Matters
Shield Platform Encryption helps organizations meet legal and contractual obligations while ensuring sensitive customer data is encrypted according to industry best practices. Shield is compliant with or exceeds requirements for GDPR, HIPAA, and SOX standards.
Unlike traditional encryption that might break application functionality, Shield Platform Encryption maintains critical features such as:
2
Classic Encryption vs Shield Platform Encryption
Understanding the differences between Classic Encryption and Shield Platform Encryption is crucial for making the right security decision. According to the Salesforce Security Implementation Guide, these two approaches serve different purposes and have distinct capabilities.
Feature
Classic Encryption
Shield Platform Encryption
Encryption Algorithm
128-bit AES
256-bit AES
Cost
Included with base Salesforce license
Additional cost (20% of net spend)
Field Support
Custom text fields only (175 char limit)
Standard & custom fields, files, attachments
Key Management
Salesforce-managed only
BYOK (Bring Your Own Key) supported
Data Masking
Yes (hides data with random characters)
No (use field-level security instead)
Formula Fields
Not supported
Supported
Flows (Automation)
Not supported
Supported
Reports & Search
Data exposed in reports/search
Encrypted at all levels
When to Use Classic Encryption
Classic Encryption is appropriate for basic security needs where:
You need to mask sensitive data (like SSNs or credit card numbers) from internal users
You don't have regulatory compliance requirements
Budget constraints prevent purchasing Shield
You only need to protect a small number of custom text fields
When to Use Shield Platform Encryption
Shield Platform Encryption is the superior choice when:
You need to meet compliance requirements (HIPAA, GDPR, SOX, PCI-DSS)
You require encryption of standard fields (Account Name, Contact Email, etc.)
You need to encrypt files and attachments
You want control over your encryption keys (BYOK)
You need encryption that works with Flows, formulas, and validation rules
Important: The biggest drawback of Classic Encryption is that encrypted data can still be exposed in reports, search results, and API responses. Shield Platform Encryption solves this by ensuring encryption at all levels, making it the superior choice for high-security environments.
3
How Shield Platform Encryption Works
Shield Platform Encryption uses a sophisticated key derivation process to protect your data. According to the Shield Platform Encryption Architecture Guide, the encryption relies on a combination of keys that work together to secure your data.
Key Architecture
Tenant Secret
Customer-controlled unique secret
You control this
Master Secret
Salesforce-maintained secret
Salesforce controls
Data Encryption Key
Used to encrypt/decrypt data
Protects your data
Encryption Schemes: Probabilistic vs Deterministic
Shield Platform Encryption offers two encryption schemes, each with different security and functionality trade-offs:
Aspect
Probabilistic Encryption
Deterministic Encryption
How It Works
Same text produces different ciphertext each time
Same text always produces same ciphertext
Security Level
Higher (fully randomized initialization vector)
Slightly lower (static initialization vector)
Filtering/Search
Not supported
Supported (can filter on encrypted fields)
Report Filters
Not supported
Supported
List Views
Cannot filter
Can filter
Use Case
Maximum security for non-searchable data
Balance of security and functionality
Recommendation: Use probabilistic encryption whenever data in a field will not need to be filtered or searched. Reserve deterministic encryption only for fields where filtering capability is essential for business operations.
The Encryption Process
Here's how data flows through Shield Platform Encryption when a user saves sensitive information:
User
Salesforce
Database
Enter data via UI/API
Detect encrypted field
Derive key (Tenant + Master)
AES-256 encrypt data
Store ciphertext at rest
4
Which Fields Can Be Encrypted?
One of the most common questions about Shield Platform Encryption is: "Can I choose which fields to encrypt?" The answer is yes - you have granular control over field encryption. According to the Salesforce Help documentation on standard fields, you can encrypt specific standard and custom fields based on your security requirements.
Supported Custom Field Types
The following custom field types can be encrypted:
Subject, Description, Case Comments (Body and internal comments)
Opportunity
Description, Next Step
Chat Transcript
Body, Supervisor Transcript Body
Person Account
All Account + Contact fields applicable to Person Accounts
Industry Clouds: Shield Platform Encryption also supports specific standard fields in CPQ, Health Cloud, Financial Services Cloud, Sales Cloud, Service Cloud, and Workplace Command Center. Consult the Which Standard Fields Can I Encrypt? documentation for the complete list.
Files, Attachments, and Chatter
Beyond field-level encryption, Shield supports:
Data Type
Encryption Behavior
Selectivity
Files & Attachments
All-or-nothing when policy is enabled
Cannot selectively encrypt individual files
Chatter
Encrypts posts, comments, questions, polls, link names/URLs
All Chatter fields encrypted when enabled
Search Index
Search index files can be encrypted
All-or-nothing
CRM Analytics
Datasets can be encrypted
Configurable
Important Note: When encryption policy for files and attachments is enabled, all new files will be encrypted at rest. File and attachment encryption is binary (all or nothing). For existing files, you must submit a Salesforce Support case to encrypt historical files - this cannot be done self-service.
According to Salesforce Trailhead, Shield Platform Encryption requires only two system permissions:
Permission
Purpose
Assign To
Manage Encryption Keys
Generate, rotate, export, import, and destroy tenant secrets
Security Admin only (very limited users)
Customize Application
Enable encryption on fields, modify encryption policies
Salesforce Admins who configure encryption
Important: Shield Platform Encryption does NOT have a "View Encrypted Data" permission (that's Classic Encryption). With Shield, encryption is transparent - users who have field-level security access to a field automatically see decrypted data. Use FLS, profiles, permission sets, and sharing rules to control data visibility.
Critical Warning: Ensure System Administrators do NOT have the "Manage Encryption Keys" permission by default. If someone accidentally deletes the tenant secret, there is NO way to recover encrypted data. Limit this permission to a dedicated Security Admin role with strict access controls.
6
BYOK & Key Management
For organizations requiring complete control over their encryption keys, Shield Platform Encryption offers BYOK (Bring Your Own Key) capabilities. According to the Salesforce BYOK documentation, you can upload your own key material or use the Cache-Only Key Service.
Key Management Options
Option
Description
Best For
Salesforce-Generated Keys
Salesforce generates and manages your tenant secret
Most organizations without strict key control requirements
Customer-Supplied Keys (BYOK)
Upload your own 256-bit AES key material
Organizations requiring key ownership for compliance
Cache-Only Key Service
Store keys externally; Salesforce fetches on demand
Maximum control - keys never persist in Salesforce
Create 256-bit AES key, encrypt with certificate's public key
4
Upload to Salesforce
Key Management → Upload encrypted key material
5
Activate Key
Set as active for Data in Salesforce, Analytics, etc.
Cache-Only Key Service: For maximum control where keys never persist in Salesforce, use the Cache-Only Key Service. This requires setting up Named Credentials pointing to your external key service and using the CacheOnlyKeyWrapper tool to format keys.
Rotation Frequency: Rotate encryption keys every 120 days (recommended)
Backup Keys: Securely export and back up every old tenant secret before rotation
Key Archival: Archived keys are needed to decrypt historical data
Automatic Re-encryption: Newly created and edited data uses the most recent key automatically
Key Limit: There is a limit of 50 undestroyed keys across all key types (including BYOK, EKM, and Cache-Only keys)
Pro Tip: When you rotate keys, existing data doesn't automatically get re-encrypted. Use the Encryption Statistics page to synchronize existing data with your latest encryption policy, or touch records programmatically to trigger re-encryption.
// This SOQL will FAIL if Account.Name is encrypted with probabilistic scheme
Account[] accts = [SELECT Id, Name FROM Account WHERE Name = 'Acme Corp'];
// This will work with deterministic encryption
Account[] accts = [SELECT Id, Name FROM Account WHERE Name = 'Acme Corp'];
// This will NEVER work (ORDER BY on encrypted field)
Account[] accts = [SELECT Id, Name FROM Account ORDER BY Name];
Field Character Limits
According to the field limits documentation, encrypted content is often longer than its plaintext, which can impose stricter limits:
Test field limits in longer fields like Address and Subject
Non-ASCII values (Chinese, Japanese, Korean) may have additional length restrictions
Character limits on encrypted fields are often lower than standard field lengths
Feature Restrictions
Feature
Impact with Encryption
Report Filters
Cannot filter on probabilistically encrypted fields
List View Filters
Cannot filter on probabilistically encrypted fields
Einstein Lead Scoring
May be limited if Lead fields are encrypted
Duplicate Management
Account/Contact Name encryption prevents duplicate detection
Web-to-Case
Web fields (Company, Email, Name, Phone) are NOT encrypted at rest
Email Bounce Handling
Does not support encrypted email addresses
AppExchange Compatibility
Not all AppExchange applications are Shield-compatible:
Important: Some apps aren't compatible with encryption and can prevent you from enabling Shield Platform Encryption. Always verify with vendors before implementing. Notable incompatibilities include certain features of Heroku, Thunder, and Quip integrations.
Storage Impact
Good news: Encrypting files, fields, and attachments does NOT affect your org's storage limits. The encrypted ciphertext storage is handled transparently.
Define Your Threat Model: Walk through a formal threat-modeling exercise to identify which threats are most likely to affect your organization
Encrypt Strategically: Don't encrypt everything - focus on PII, financial records, and critical business data
Start with Data Classification: Use Data Detect first to identify sensitive data before deciding what to encrypt
Implementation Lessons
Lesson 1: Always test encryption in a full sandbox environment before enabling in production. This reveals impacts on custom Apex, formulas, and integrations that aren't obvious from documentation alone.
Lesson 2: Data will be encrypted after Shield is enabled, but existing data requires synchronization. Use the self-service Background Encryption from the Encryption Statistics page (available since Spring '19) - you can sync once every 7 days. For files and attachments, submit a Salesforce Support case.
Lesson 3: Review ALL Apex code that queries encrypted fields. Code using encrypted fields in WHERE clauses will fail if using probabilistic encryption. Fix violations before enabling encryption.
Security vs Functionality Balance
Understanding when Shield is the right solution:
Security Concern
Right Solution
Protect data from internal Salesforce users
Use OWD, Sharing Rules, Profiles, and FLS (NOT Shield)
Compliance requirements (HIPAA, GDPR, SOX)
Shield Platform Encryption
Database-level security at data center
Shield Platform Encryption
Hide data in UI with masking
Classic Encryption or Field-Level Security
Key Management Lessons
Limit Key Permissions: Create a dedicated "Security Admin" profile with very limited users who can manage encryption keys
Document Key Rotation: Maintain a log of all key rotations with dates and reasons
Backup Before Rotation: Always export and securely store the current tenant secret before generating a new one
Test Key Recovery: Periodically verify you can restore encrypted data using archived keys
9
Dos and Don'ts
DO These Things
Classify your data firstIdentify what's truly sensitive before encrypting anything
Test in sandbox extensivelyTest all integrations, reports, and Apex code before production
Verify AppExchange compatibilityContact vendors to confirm Shield readiness before enabling
Rotate keys every 120 daysMaintain key hygiene for ongoing security
Backup tenant secretsExport and securely store keys before rotation
Use deterministic encryption for searchable fieldsBalance functionality with security needs
DON'T Do These Things
Encrypt everythingUnnecessary encryption slows performance and affects UX
Give System Admins key management permissionsAccidental deletion of tenant secret = permanent data loss
Enable in production without sandbox testingEncryption can break critical business processes unexpectedly
Use Shield for internal user access controlUse profiles, permission sets, sharing rules, and FLS instead
Forget to encrypt existing dataNew data is auto-encrypted; existing data needs background sync
Use probabilistic encryption on searchable fieldsProbabilistic encryption prevents filtering and searching
10
Pricing & Licensing
Salesforce Shield pricing is unique - it's based on a percentage of your total Salesforce spend rather than per-user pricing. According to Salesforce's official Shield pricing page, the cost structure works as follows:
Pricing Structure
Component
Pricing (% of Net Spend)
What's Included
Platform Encryption
20%
Field encryption, file encryption, BYOK support
Data Detect
15%
Sensitive data identification and classification
Event Monitoring
10%
User activity tracking, security analytics
Field Audit Trail
10%
10-year field history retention
Full Shield Bundle
30%
All four components (Encryption, Event Monitoring, Field Audit Trail, Data Detect)
Example Calculation: If you're spending $1,000,000/year on Sales Cloud and Service Cloud, and you purchase the full Shield bundle at 30%, you will pay an additional $300,000/year for Shield. For Platform Encryption alone at 20%, that would be $200,000/year.
Edition Availability
Salesforce Edition
Shield Availability
Developer Edition
Free (for testing and development)
Enterprise Edition
Available as add-on subscription
Performance Edition
Available as add-on subscription
Unlimited Edition
Available as add-on subscription
11
Common Problems & Solutions
Based on community discussions and implementation experiences documented by Gearset's troubleshooting guide, here are the most frequently encountered Shield Platform Encryption problems and their solutions.
Problem 1: Deployment Succeeds but Encryption Fails
Symptom: Your deployment reports success, but the field encryption is not applied. You receive an email from Salesforce about an encryption failure after the deployment.
Root Cause: Salesforce executes the encryption compliance check asynchronously to the Metadata API deployment. The API reports success before the encryption compatibility check completes.
Solution:
Monitor your email for post-deployment encryption failure notifications
Review the failure details in the email and address the specific compatibility issues
Redeploy the CustomObject field after resolving conflicts
Use Encryption Statistics page to verify encryption was applied
Problem 2: SOQL Tests Fail with Deterministic Encryption
Symptom: After deploying encrypted fields with Apex classes, your SOQL queries mysteriously return no records, causing test failures.
Root Cause: Salesforce doesn't encrypt the field immediately upon Metadata API deployment. The encryption is applied later after compatibility checks. Meanwhile, your Apex tests run against non-encrypted fields, and queries on encrypted fields fail.
Solution:
1
Split Your Deployment
Deploy encrypted fields in the first package, then deploy Apex classes/tests separately
2
Wait for Encryption
Allow time for Salesforce to apply encryption before running tests
3
Run Tests Separately
Execute test classes after confirming encryption is active via Encryption Statistics
Problem 3: Process Builder Conflicts
Symptom: Deployment fails with error indicating Process Builder uses the encrypted field in an Update Records filter.
Root Cause: You cannot use encrypted fields in Process Builder Update Records filters. Even inactive versions in the target org cause conflicts.
Solution:
Go to the target org and delete all inactive Process Builder versions that reference the to-be-encrypted field in Update Records filters
Deploy a new version of Process Builder that doesn't use the encrypted field in filters
Ensure the new version is active before deploying the encrypted field
Consider migrating to Flow, which has better encryption compatibility
Problem 4: Third-Party App Incompatibility
Symptom: AppExchange packages fail or behave unexpectedly after enabling encryption. Some apps prevent enabling Shield entirely.
Root Cause: Not all AppExchange applications are Shield-compatible. Some apps directly query encrypted fields in ways that break with encryption enabled.
Solution:
Before enabling Shield, audit all installed packages
Contact each vendor to confirm Shield compatibility
Request Shield-ready updates from vendors if needed
Consider alternative apps if vendors cannot support Shield
Test thoroughly in sandbox with all packages before production
Problem 5: System Propagation Delays
Symptom: After turning encryption on or off, the system reports inconsistent states. Fields show as encrypted when they're not, or vice versa.
Root Cause: The architecture behind platform encryption has propagation delays when toggling encryption on and off.
Solution:
Wait several minutes after making encryption changes before testing
Use the Encryption Statistics page to verify actual encryption status
Don't rapidly toggle encryption on and off during testing
Clear browser cache if UI shows stale information
Problem 6: SOQL WHERE Clause Violations
Symptom: Existing Apex code fails at runtime with errors about encrypted fields in WHERE clauses.
// This code FAILS with probabilistic encryption
List<Contact> contacts = [SELECT Id, Email FROM Contact WHERE Email = :searchEmail];
// Workaround: Use SOSL instead for search scenarios
List<List<SObject>> results = [FIND :searchEmail IN ALL FIELDS RETURNING Contact(Id, Email)];
// Alternative: Use deterministic encryption (if search is required)
// Configure field for deterministic encryption in Encryption Policy
Solution:
Audit all Apex code for SOQL queries using encrypted fields in WHERE clauses
Use SOSL FIND statements as a workaround for search scenarios
Switch to deterministic encryption for fields that must be searchable
Refactor code to filter results in Apex after querying without WHERE filters
Problem 7: Existing Data Not Encrypted
Symptom: After enabling encryption, existing records still show unencrypted data in exports or backups.
Root Cause: Shield Platform Encryption only encrypts newly created and modified data. Existing data must be explicitly synchronized.
Solution:
Use the Encryption Statistics page to sync existing data with your policy
Programmatically touch records to trigger re-encryption (update with same values)
Plan for data synchronization during implementation, not as an afterthought
Problem 8: Performance Degradation
Symptom: Page load times increase, reports run slower, and bulk operations take longer after enabling encryption.
Root Cause: Encryption/decryption operations add processing overhead, especially for frequently accessed fields or large data volumes.
Solution:
Only encrypt fields that truly require protection (PII, financial data, compliance-mandated)
Avoid encrypting fields used in high-frequency operations
Use selective field encryption instead of encrypting everything
Monitor performance before and after enabling encryption
Consider whether deterministic vs probabilistic impacts your specific use cases
?
Frequently Asked Questions
Salesforce Shield Platform Encryption is a security feature that natively encrypts sensitive data at rest using AES 256-bit encryption. It protects standard and custom fields, files, attachments, and Chatter data while maintaining application functionality like search, Flows, and validation rules. Unlike Classic Encryption, it offers BYOK (Bring Your Own Key) capabilities and works with formula fields and Flows.
Classic Encryption uses 128-bit AES and only encrypts custom text fields up to 175 characters with data masking capabilities. Shield Platform Encryption uses stronger 256-bit AES, encrypts both standard and custom fields, files, and attachments, and supports BYOK (Bring Your Own Key). Shield works with formulas and Flows, while Classic does not. Classic is free but exposes data in reports; Shield is paid but encrypts at all levels.
Shield Platform Encryption is priced at 20% of your net Salesforce spend when purchased standalone. Data Detect is 15%, Event Monitoring is 10%, and Field Audit Trail is 10%. The full Shield bundle costs 30% of net spend. For example, if you spend $500,000/year on Salesforce products, encryption alone would cost $100,000/year. It's available free in Developer Edition for testing purposes.
Yes, you can selectively encrypt specific standard and custom fields. You choose which fields to encrypt based on your data classification and compliance requirements. However, files and attachments follow an all-or-nothing approach - when the encryption policy is enabled, all files and attachments are encrypted. Chatter encryption also applies to all Chatter fields when enabled.
Key limitations include: encrypted fields cannot be used in SOQL WHERE or ORDER BY clauses (except with deterministic encryption for exact-match filtering), aggregate functions like MAX/MIN don't work, some AppExchange apps may not be compatible, duplicate management doesn't work with encrypted Account/Contact Names, and certain features like Einstein Lead Scoring may be limited when fields are encrypted.
12
Abbreviations & Glossary
Abbreviations & Glossary
Reference guide for technical terms and abbreviations used throughout this article.
AES-Advanced Encryption Standard
API-Application Programming Interface
BYOK-Bring Your Own Key
CEK-Content Encryption Key
DEK-Data Encryption Key
FLS-Field-Level Security
GDPR-General Data Protection Regulation
HIPAA-Health Insurance Portability and Accountability Act
IV-Initialization Vector
JWE-JSON Web Encryption
OWD-Organization-Wide Defaults
PCI-DSS-Payment Card Industry Data Security Standard
PII-Personally Identifiable Information
SOX-Sarbanes-Oxley Act
SOQL-Salesforce Object Query Language
SOSL-Salesforce Object Search Language
SSN-Social Security Number
UI-User Interface
Related Reading
Continue your Salesforce security and development learning journey with these related guides from my blog:
