Turning on Shield Platform Encryption from the Encryption Settings page follows a fixed order: create key material first, then choose what to encrypt, then sync existing data. This assumes the Shield Platform Encryption license is provisioned and you hold the Manage Encryption Keys permission.
- Open Encryption Settings
In Setup, use Quick Find to open Encryption Settings (also reachable under Platform Encryption). If the page shows only a read-only status summary, the Shield Platform Encryption license is not provisioned and you cannot configure encryption.
- Generate a tenant secret
On the Key Management tab, generate a tenant secret. This gives the org active key material that the key management server combines with the Salesforce primary secret to derive your data encryption key. Optionally switch the key source to BYOK or Cache-Only Key Service here.
- Select fields and a scheme
In the Encryption Policy field list, check the standard and custom fields to encrypt. Pick deterministic encryption for fields you must filter or match on, and probabilistic for the rest. Save to flag the fields; this encrypts only newly written data.
- Encrypt files and search if needed
Still in Encryption Policy, turn on the org-wide toggles for Salesforce Files and attachments and for the search index if your compliance scope requires them. These apply to all new content, with existing content handled by a background process.
- Sync existing data
Open Encryption Statistics and Data Sync, confirm current coverage, then trigger the self-service background encryption service to encrypt records that predate your policy. Watch each object climb to 100% encrypted before calling the rollout complete.
Per field, choose probabilistic (strongest, no filtering) or deterministic (filterable and usable in matching rules). Deterministic must be enabled for the org before it appears as a per-field choice.
Let Salesforce generate the tenant secret, bring your own key (BYOK) from your own hardware, or use Cache-Only Key Service so the key is fetched from an external store and never stored in Salesforce.
Org-wide toggles for Salesforce Files, attachments, Chatter, and the search index. Encrypting the search index hardens compliance but affects some search behaviors like wildcards and stemming.
- Flagging a field as encrypted does not encrypt existing records. Only the Data Sync background job covers data written before you turned encryption on.
- Self-service background encryption runs at most once every 7 days, and objects over 10 million records cannot use it; those require a Salesforce support case.
- Destroying a tenant secret is irreversible and makes all data encrypted under it permanently unreadable. Back up tenant secrets and limit who holds Manage Encryption Keys.
- Probabilistic encryption blocks filtering and exact-match on that field. Choose the scheme before a large sync, because changing it later means re-encrypting the data.