Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
Salesforce Architect
medium

How do you architect encryption (Shield, masking, in-transit) in Salesforce?

Encryption types:

1. Encryption in transit.

  • TLS / HTTPS automatically applied to all Salesforce traffic.
  • Mutual TLS for advanced authentication.
  • VPN / private connections for highly secure integrations.

This is automatic; you don't configure but should know.

2. Encryption at rest — Salesforce-managed (default).

  • All data on Salesforce servers encrypted at rest.
  • Salesforce manages the keys.
  • No additional cost.
  • Adequate for most data.

3. Shield Platform Encryption (Salesforce-purchased).

  • Tenant-managed keys — your org has its own encryption keys.
  • Field-level encryption — encrypt selected fields (Account.Phone, Contact.Email, custom fields).
  • File encryption — encrypt files.
  • Bring Your Own Key (BYOK) — derive keys outside Salesforce, import.
  • Cache-only Key Service — keys never stored.

Trade-offs:

  • Encrypted fields can break some declarative features (formulas referencing them, certain SOQL filters).
  • Encryption keys can be revoked, rendering data unreadable.
  • Performance impact (typically minimal).

4. Field-Level Security (FLS).

Not strictly encryption but controls who can see fields. FLS is layered with encryption — encrypted but visible vs encrypted and hidden.

5. Masking.

  • Production data sanitisation for sandboxes.
  • Tokenisation of PCI data — store token; resolve to real data only when needed.

Architecture decisions:

1. What to encrypt at field level?

Only fields classified Restricted / Mission Critical. Don't blanket-encrypt; performance cost.

2. Key management:

  • Salesforce-managed (default) — adequate for most.
  • Tenant-managed (Shield) — for advanced control.
  • BYOK — for ultimate control; complex.
  • Cache-only — for highest security; complex.

3. Encryption + features.

Test that critical workflows still work post-encryption:

  • Validation rules referencing encrypted fields.
  • Reports filtering on encrypted fields.
  • SOQL queries with WHERE on encrypted fields.

Some break; design around or accept limitation.

4. Audit:

  • Encryption events logged.
  • Key rotation policy.
  • Backup keys for disaster recovery.

5. Compliance:

  • PCI DSS — requires encryption + tokenisation for payment data.
  • HIPAA — requires encryption for PHI.
  • GDPR — recommends encryption for personal data.

Salesforce Shield is the only path to advanced encryption capabilities. Cost is significant; budget appropriately.

Senior architect insight: encryption is necessary for compliance but not sufficient for security. Layered with FLS, sharing, audit. Encryption alone doesn't prevent unauthorised access by people with permissions; it prevents access by attackers with infrastructure access.

Don't think of encryption as "the security solution". It's one layer in a defense-in-depth strategy.

Why this answer works

Senior. The encryption-types catalogue and "necessary but not sufficient" insight are mature.

Follow-ups to expect

Related dictionary terms