|Available in: Enterprise, Performance, and Unlimited Editions. Available in Developer Edition at no charge for organizations created in Summer '15 and later.|
Salesforce Platform Encryption sets up in minutes, with no additional hardware or software, and uses native strong, standards-based encryption. Platform Encryption provides an extra layer to Salesforce's security while enabling customers to enjoy business critical Platform features, such as search, workflow, and validation rules.
- Encrypt files and attachments.
- Encrypt certain standard and custom fields.
- Use an advanced key management system.
With Platform Encryption, sensitive field data is masked to limit who can see information. Controls help to protect your data. These controls include the use of derived data encryption keys and customer-controlled key rotation, generation, and destruction processes.
- Data is sent to the application server.
- The application server checks if the data encryption key exists in memory.
- One of the following occurs:
- If the data encryption key is found in the cache, the application server retrieves it.
- If the data encryption key is not found, the application server reads the organization's encrypted active tenant secret from the database. The application server then requests a key from the key derivation server with accompanying information such as the encrypted tenant secret and release version. The key derivation server derives the key in the HSM using the master secret and the tenant secret and provides it to the application server.
- The encryption service encrypts the data on the application server.
- The encrypted data is stored.
What’s the Difference Between Classic Encrypted Custom Fields and Platform Encryption?
The following table compares Classic Encrypted Custom Fields and Platform Encryption solutions.
|Feature||Classic Encrypted Custom Fields (included in base user license)||Platform Encryption (additional fee applies)|
|Encryption at Rest|
|Native Solution (No Hardware or Software is Required)|
|Encryption Algorithm||128-bit Advanced Encryption Standard (AES)||256-bit Advanced Encryption Standard (AES)|
|HSM-based Key Derivation|
|“Manage Encryption Keys” Permission|
|Generate, Export, Import, and Destroy Keys|
|PCI-DSS L1 Compliance|
|Text (Encrypted) Field Type||
(Dedicated custom field type, limited to 175 characters)
|Mask Types and Characters|
|“View Encrypted Data” Permission is Required to Read Encrypted Field Values|
|Email Template Values Respect “View Encrypted Data” Permission|
|Encrypted Standard Fields||*|
|Encrypted Attachments, Files, and Content|
|Encrypted Custom Short Text, Long Text Area, Phone, Email, and URL Fields|
|Encrypt Existing Fields for Supported Custom Field Types|
|Search (UI, Partial Search, Lookups)|
|Available in Workflow Rules and Workflow Field Updates|
|Available in Approval Process Entry Criteria and Approval Step Criteria|