Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
Full Salesforce Shield entry
How-to guide

Turn on Shield Platform Encryption for a Salesforce field

Enable Platform Encryption on a specific field so the data is unreadable at rest without the customer-controlled tenant key, while remaining functional for users in the UI.

By Dipojjal Chakrabarti · Founder & Editor, Salesforce DictionaryLast updated May 26, 2026

Enable Platform Encryption on a specific field so the data is unreadable at rest without the customer-controlled tenant key, while remaining functional for users in the UI.

  1. Confirm the Shield license

    Setup, Company Information. Verify Platform Encryption is listed under Permission Set Licenses. Without the license, the encryption controls do not appear.

  2. Generate a tenant secret

    Setup, Platform Encryption, Key Management. Click Generate Tenant Secret. Salesforce creates a customer-controlled key. Optionally upload your own key under Bring Your Own Key.

  3. Pick a field to encrypt

    Setup, Platform Encryption, Encryption Policy, Encrypt Fields. The list shows supported fields per object. Select the target field (Account.Name, Contact.Email, etc.).

  4. Choose the encryption scheme

    Probabilistic (more secure, not searchable in case-sensitive search) or Deterministic (less secure, allows exact-match SOQL queries). Deterministic is the right choice for fields used in WHERE clauses; probabilistic for everything else.

  5. Activate and wait for backfill

    Click Encrypt. Salesforce runs a background job to encrypt existing data in that field. The job can take hours for large orgs; the UI shows progress.

  6. Verify and document

    Open a record. The field renders normally to authorized users but is stored encrypted at rest. Add the field to your security control evidence file for audit.

Key options
Tenant Secretremember

Customer-controlled key used to derive data encryption keys. Salesforce never sees the underlying secret in plaintext.

Bring Your Own Keyremember

Option to provide a key generated outside Salesforce (HSM, AWS KMS, Azure Key Vault).

Probabilistic vs Deterministicremember

Encryption scheme choice. Probabilistic is more secure; deterministic enables exact-match search.

Cache-Only Key Serviceremember

Highest-security option where Salesforce holds the key only in memory, fetched on each request.

Gotchas
  • Encrypting a field breaks some downstream features: external IDs that rely on case-sensitive uniqueness, certain Einstein features that train on the raw data, some reporting filters. Test in a sandbox first.
  • Tenant key rotation needs an operational schedule. Salesforce supports annual rotation by default; long key lifetimes weaken the security posture and may fail audit.
  • Shield Event Monitoring logs are not free to store. Routing them to Splunk or Datadog costs ingestion fees; budget the downstream cost when planning the Shield rollout.
  • Field Audit Trail extends history but does not retroactively capture older changes. If you need 10-year history starting today, history before activation stays at the standard 24-month retention.

See the full Salesforce Shield entry

Salesforce Shield includes the definition, worked example, deep dive, related terms, and a quiz.