What's the difference between Classic Encryption and Platform Encryption?

Classic Encryption is a narrow legacy option, while Platform Encryption (part of Shield) provides enterprise-grade at-rest encryption with broader feature support.

What encrypts data in transit?

TLS encrypts all data in transit between Salesforce and clients regardless of which at-rest encryption you've enabled.

Why does encryption planning matter?

Encrypting fields can affect certain features like specific formula functions or external lookups, so encryption strategy needs upfront planning.

Data Encryption

Administration🟡 Intermediate

Definition

Data Encryption in Salesforce refers to the various encryption mechanisms used to protect sensitive data. Salesforce provides Classic Encryption (a 128-bit AES encrypted custom field type for masking data) and Platform Encryption (part of Salesforce Shield, which encrypts data at rest with 256-bit AES encryption while preserving platform functionality like search, workflow, and validation rules). Data is also encrypted in transit using TLS.

Real-World Example

At their company, a Salesforce administrator at Coastal Health leverages Data Encryption to maintain data quality and enforce organizational policies across the platform. By properly setting up Data Encryption, they prevent common data entry errors and ensure that users follow established business processes, which saves the support team hours of cleanup work each week.

Why Data Encryption Matters

Salesforce offers multiple data encryption mechanisms. Classic Encryption is the older option, providing a 128-bit AES encrypted custom field type that masks data and is suitable for narrow use cases. Platform Encryption, part of Salesforce Shield, is the modern enterprise option: it encrypts data at rest using 256-bit AES while preserving platform functionality like search, workflow, validation rules, and formulas on most encrypted fields. Data in transit is always encrypted with TLS regardless of which at-rest encryption you use.

Choosing the right encryption strategy depends on regulatory and business requirements. Industries handling protected health information, financial data, or PII typically require Platform Encryption because it's auditable, key-managed, and certified for compliance frameworks. Classic Encryption is too narrow for most modern needs. Platform Encryption supports encrypting standard and custom fields, files, attachments, and search indexes, with key management controlled through the Setup interface. The key tradeoff is that some features (like certain formula functions and external lookups) have limitations on encrypted fields, so encryption planning matters.

How Organizations Use Data Encryption

•Redwood Financial — Enabled Platform Encryption on Account, Contact, and custom Loan object fields containing PII. The encryption satisfied their bank regulator's audit requirements without breaking workflows or reports.
•Coastal Health — Uses Platform Encryption for protected health information stored on Patient and Encounter records. The encryption is required for HIPAA compliance and preserves the search and reporting features the clinical team relies on.
•ShieldGuard Security — Audits encrypted field usage quarterly to ensure new fields holding sensitive data get added to the encryption policy. The audit caught two unencrypted fields that had slipped through review.