Comply with Data Protection Requirements Using Platform Encryption (Generally Available)

Platform Encryption encrypts sensitive data for compliance with common regulatory requirements.
Available in: Enterprise, Performance, and Unlimited Editions. Available in Developer Edition at no charge for organizations created in Summer '15 and later.



You may need to purchase additional services or subscriptions to use this feature. For pricing details, please contact your Salesforce account executive. Platform Encryption is not available if your instance is in the Government Cloud.

Platform Encryption lets customers encrypt data stored throughout Salesforce, whether in the Sales Cloud, Service Cloud, or even custom apps. Encrypt sensitive, confidential, and private data at rest on the Salesforce1 Platform to help meet privacy policies, regulatory requirements, and contractual obligations for handling private data.

Salesforce Platform Encryption sets up in minutes, with no additional hardware or software, and uses native strong, standards-based encryption. Platform Encryption provides an extra layer to Salesforce's security while enabling customers to enjoy business critical Platform features, such as search, workflow, and validation rules.

You can:
  • Encrypt files and attachments.
  • Encrypt certain standard and custom fields.
  • Use an advanced key management system.

With Platform Encryption, sensitive field data is masked to limit who can see information. Controls help to protect your data.​ These controls include the use of derived data encryption keys and customer-controlled key rotation, generation, and destruction processes.

Platform Encryption Process Flow The encryption architecture and process flow.
The encryption process follows these steps:
  1. Data is sent to the application server.
  2. The application server checks if the data encryption key exists in memory.
  3. One of the following occurs:
    1. If the data encryption key is found in the cache, the application server retrieves it.
    2. If the data encryption key is not found, the application server reads the organization's encrypted active tenant secret from the database. The application server then requests a key from the key derivation server with accompanying information such as the encrypted tenant secret and release version. The key derivation server derives the key in the HSM using the master secret and the tenant secret and provides it to the application server.
  4. The encryption service encrypts the data on the application server.
  5. The encrypted data is stored.

What’s the Difference Between Classic Encrypted Custom Fields and Platform Encryption?

The following table compares Classic Encrypted Custom Fields and Platform Encryption solutions.

Feature Classic Encrypted Custom Fields (included in base user license) Platform Encryption (additional fee applies)
Encryption at Rest Checkmark Checkmark
Native Solution (No Hardware or Software is Required) Checkmark Checkmark
Encryption Algorithm 128-bit Advanced Encryption Standard (AES) 256-bit Advanced Encryption Standard (AES)
HSM-based Key Derivation Checkmark
“Manage Encryption Keys” Permission Checkmark
Generate, Export, Import, and Destroy Keys Checkmark Checkmark
PCI-DSS L1 Compliance Checkmark
Text (Encrypted) Field Type Checkmark

(Dedicated custom field type, limited to 175 characters)

Masking Checkmark Checkmark
Mask Types and Characters Checkmark
“View Encrypted Data” Permission is Required to Read Encrypted Field Values Checkmark Checkmark
Email Template Values Respect “View Encrypted Data” Permission Checkmark
Encrypted Standard Fields Checkmark*
Encrypted Attachments, Files, and Content Checkmark
Encrypted Custom Short Text, Long Text Area, Phone, Email, and URL Fields Checkmark
Encrypt Existing Fields for Supported Custom Field Types Checkmark
Search (UI, Partial Search, Lookups) Checkmark
API Access Checkmark Checkmark
Available in Workflow Rules and Workflow Field Updates Checkmark
Available in Approval Process Entry Criteria and Approval Step Criteria Checkmark
*On the Account object, you can encrypt Account Name. On the Contact object, you can encrypt Email, Fax, Home Phone, Mailing Address (Mailing Street and Mailing City), Mobile, Name (First Name, Middle Name, and Last Name), Other Phone, and Phone.