Encrypted data at rest is on by default. Configuration only applies when you choose to layer Shield Platform Encryption, BYOK, or Cache-Only Keys on top. The steps below cover that customer-control rollout.
- Confirm Shield license
Check that your org has the Shield Platform Encryption license added. Without the license, Encryption Settings shows only the default platform encryption status.
- Identify fields and files to encrypt
Work with security and business teams to list which fields are sensitive enough to require Shield. PII, financial data, and protected health information are typical candidates.
- Audit downstream impact
For each candidate field, check if SOQL queries filter or sort by it, if validation rules reference it, and if reports group by it. Encryption may break these patterns; refactor before encrypting.
- Generate the tenant secret
Setup > Encryption Settings > Key Management > Generate Tenant Secret. The platform creates a new key under Salesforce-managed mode; for BYOK, upload your own key material instead.
- Enable field-level encryption
For each target field, click Edit in Encryption Settings and check Encrypted. Choose Probabilistic or Deterministic per field based on the query patterns you identified.
- Wait for encryption to apply
The platform encrypts existing data asynchronously. For large orgs this takes hours; query the status from Encryption Statistics to confirm completion before declaring rollout complete.
- Plan key rotation cadence
Add a quarterly or annual key rotation to your security calendar. Rotation is non-disruptive but produces audit log entries that compliance teams expect to see.
Default. Salesforce generates and rotates keys. No customer key access. Baseline compliance.
Customer generates and uploads key material. Customer can destroy the key to revoke all access permanently.
Customer hosts key in external KMS. Salesforce fetches on demand and discards. Strongest control; adds latency.
Per-record random IV. Strongest security; blocks SOQL filters, sorts, GROUP BY on the field.
Fixed IV per field. Allows exact-match SOQL filters; blocks LIKE wildcards and full-text search.
- Probabilistic encryption breaks any SOQL query that filters, sorts, or groups by the encrypted field. Audit query patterns before encrypting; pivots like dashboards may fail.
- BYOK key destruction is irreversible. Destroying the key permanently removes access to all encrypted data, including by Salesforce. Plan key custody and destruction process with extreme care.
- Not every standard field is supported by Shield. The supported field list is published and updated each release; confirm your target fields are on it before promising encryption.
- Cache-Only Keys add latency to every encrypted-field operation. Heavy reports filtering encrypted fields can run noticeably slower; benchmark before production rollout.
- Validation rules and Flow logic that compare encrypted field values may stop working. The platform supports limited operations; complex business logic referencing encrypted fields needs review.