The pattern: classify fields by sensitivity (Data Classification feature), encrypt the high-sensitivity fields with Shield, accept default at-rest encryption for everything else, document the encryption posture for auditors. The cost is real (Shield license, key management work, functional trade-offs); the compliance benefit is the audit-defensible answer.
- Classify fields by sensitivity through Data Classification
Use the Data Classification feature to tag each field with Sensitivity Level. The classification drives encryption decisions; without it, encryption decisions are guesses.
- Identify fields requiring customer-managed keys
Confidential and Restricted-classified fields plus regulatory scope (PII, PHI, payment data). The list is the Shield encryption target.
- License Shield Platform Encryption
Shield is a separate SKU. Coordinate procurement; rollout is typically 4 to 8 weeks from purchase to encrypted-in-production.
- Configure Shield in sandbox first
Setup, Platform Encryption, generate or import keys, encrypt the target fields. Test functional impact (reports, list views, formulas).
- Plan the production rollout including re-encryption time
Encrypting a field that already has data requires the platform to re-encrypt historical records; this can take hours to days depending on volume.
- Document the encryption posture
Which fields are Shield-encrypted, who holds the keys, what is the rotation schedule. The document is the compliance evidence.
- Plan annual key rotation
Rotate keys per compliance schedule (annually for most HIPAA-grade contexts). Coordinate; rotation is multi-week.
TLS in transit, default at-rest, Classic Encryption, Shield Platform Encryption. Pick the layer matching the requirement.
Salesforce-managed (default at-rest) or customer-managed (Shield BYOK/CMK). Compliance drives the choice.
Which specific fields and files are Shield-encrypted. Limit to compliance-required ones to minimize functional impact.
Annually for HIPAA-grade, less frequent for lighter compliance. Coordinate with the key management team.
Each encrypted field accepts some report, formula, or filter limitations. Document the accepted trade-offs.
- Encrypting every field produces slow, hard-to-report behavior. Limit Shield encryption to compliance-required fields.
- Formula fields cannot reference Shield-encrypted source fields. Pre-existing formulas break when their source becomes encrypted; audit before encrypting.
- Key rotation is a multi-week operational project. Plan as a project with testing, not as a one-click change.
- Classic Encryption and Shield Platform Encryption are different products. Most modern orgs need Shield; Classic is legacy.
- Default at-rest encryption satisfies basic encryption requirements but does not provide customer key control. Regulated contexts usually need Shield.