Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
Full Initialization Vector (IV) entry
How-to guide

Use IVs correctly with Shield and Apex

The IV is a property of the encryption scheme rather than something administrators configure directly. The steps below cover the IV-related decisions during Shield rollout and the patterns for custom Apex encryption.

By Dipojjal Chakrabarti · Founder & Editor, Salesforce DictionaryLast updated May 19, 2026

The IV is a property of the encryption scheme rather than something administrators configure directly. The steps below cover the IV-related decisions during Shield rollout and the patterns for custom Apex encryption.

  1. Decide which fields need encryption

    Work with security and compliance to list sensitive fields. Each will need a scheme decision: probabilistic or deterministic.

  2. Audit SOQL patterns per field

    For each candidate field, check what SOQL queries filter, sort, or group by it. Fields used in queries usually need deterministic encryption to preserve functionality.

  3. Choose scheme per field

    For low-cardinality fields where pattern reveal is acceptable (Country, State), deterministic is fine. For high-sensitivity high-cardinality fields (SSN, account number), probabilistic.

  4. Enable encryption with chosen scheme

    Setup > Encryption Settings > Encrypted Fields. Edit each field, check Encrypted, choose scheme. The platform manages IV generation per the scheme.

  5. For custom Apex, use encryptWithManagedIV

    Any Apex code that encrypts data should use Crypto.encryptWithManagedIV() rather than the manual encrypt(). Managed IV removes developer-side IV mistakes.

  6. Document the IV approach

    For compliance audits, document the IV scheme per field and per custom Apex method. Auditors expect to see this documented for any encrypted data path.

  7. Test edge cases

    For deterministic fields, test that equality queries still work post-encryption. For probabilistic, confirm that other operations (decryption on read) still function as expected.

Key options
Probabilistic encryptionremember

Random IV per record. Strongest security; no SOQL filter/sort.

Deterministic encryptionremember

Derived IV. Allows equality match; reveals value patterns.

Apex Crypto.encrypt()remember

Developer-provided IV. More flexible but more error-prone.

Apex Crypto.encryptWithManagedIV()remember

Platform-generated IV. Safer default for custom encryption.

IV storage strategyremember

Store with ciphertext or derive from plaintext (deterministic). Both are standard; choose based on scheme.

Gotchas
  • Probabilistic encryption blocks SOQL filter, sort, and GROUP BY. Reports and queries on the encrypted field break unless the field is also marked filterable.
  • Deterministic encryption reveals shared values. Use only for low-sensitivity fields where pattern reveal is acceptable.
  • Custom Apex encryption with manual IVs is a common mistake. Hard-coded or predictable IVs catastrophically weaken security.
  • IV reuse with the same key is a serious failure. Shield prevents this; custom code must enforce it explicitly.
  • Compliance auditors expect documented IV handling. Roll out includes documenting the scheme per field for the audit record.

See the full Initialization Vector (IV) entry

Initialization Vector (IV) includes the definition, worked example, deep dive, related terms, and a quiz.