Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
Full Encryption Settings entry
How-to guide

How to set up Encryption Settings in Salesforce

Encryption Settings configure Shield Platform Encryption — encrypt fields, files, and search indexes at rest using tenant-managed keys. It's a paid Shield add-on and one of the strongest data-at-rest protection options Salesforce offers. Setup is fast; the real work is picking which fields to encrypt.

By Dipojjal Chakrabarti · Editor, Salesforce DictionaryLast updated Apr 20, 2026

Encryption Settings configure Shield Platform Encryption — encrypt fields, files, and search indexes at rest using tenant-managed keys. It's a paid Shield add-on and one of the strongest data-at-rest protection options Salesforce offers. Setup is fast; the real work is picking which fields to encrypt.

  1. Confirm Shield licensing

    Setup → Encryption Settings — page is visible only with Shield. Without it, you can use the lighter Classic Encryption (encrypted text fields).

  2. Open Setup → Encryption Settings

    Setup gear → Quick Find: Encryption Settings → Encryption Settings.

  3. Tick Encrypt Files and Attachments

    All file content (Files, Attachments, ContentVersion) gets encrypted at rest. Existing files re-encrypt over time via background job.

  4. Tick Encrypt Search Indexes

    Encrypts the search index. Salesforce can still search; an attacker with raw disk access can't read the index.

  5. Configure per-field encryption

    Setup → Encryption Settings → Encryption Policy → Encrypt Fields. Pick fields per-object. Encrypted fields work normally in UI but are encrypted at rest.

  6. Save

    Background jobs start re-encrypting existing data. Can take hours-to-days depending on data volume.

Key options
Encrypt Files and Attachmentsremember

Files, Attachments, ContentVersion. One toggle, all-or-nothing.

Encrypt Search Indexesremember

Search continues to work; raw index files are encrypted at rest.

Per-Field Encryptionremember

Pick specific fields per-object. Some field types unsupported (formula references to encrypted fields, etc.).

Tenant Secret Typeremember

Salesforce-Managed Tenant Secret (default) or Bring Your Own Key (BYOK). BYOK requires you to host the key in an external HSM or KMS.

Gotchas
  • Some field types can't be encrypted. Formula fields that reference encrypted fields, fields used in Validation Rules / SOQL filters, External IDs — Salesforce surfaces these limitations in the encryption picker.
  • Encrypting an existing populated field re-encrypts in the background. Until the job finishes, queries on the field can return inconsistent results. Schedule for off-hours.
  • BYOK gives you key custody but adds operational complexity. If you lose the key, your data becomes permanently unrecoverable. Most orgs use Salesforce-Managed Tenant Secrets unless compliance requires BYOK.

See the full Encryption Settings entry

Encryption Settings includes the definition, worked example, deep dive, related terms, and a quiz.