What does Encrypted Data at Rest protect?

At-rest encryption protects data stored in the database, complementing TLS which protects data in transit.

What Salesforce feature provides at-rest encryption?

Platform Encryption, part of Salesforce Shield, provides at-rest encryption for sensitive data.

Why does compliance often require at-rest encryption?

Compliance frameworks like HIPAA and PCI DSS require at-rest encryption to protect against unauthorized database access.

Encrypted Data at Rest

Administration🔴 Advanced

Definition

A Salesforce Shield feature (Platform Encryption) that encrypts data stored in the Salesforce database using AES-256 encryption, protecting sensitive fields, files, and attachments while at rest.

Real-World Example

the system admin at BrightEdge Solutions recently implemented Encrypted Data at Rest to control how users interact with Salesforce data and features. After configuring Encrypted Data at Rest in the sandbox and validating it with key stakeholders, they roll it out to production. User adoption improves because the interface now matches how teams actually work.

Why Encrypted Data at Rest Matters

Encrypted Data at Rest is a Salesforce Shield feature, specifically Platform Encryption, that encrypts data stored in the Salesforce database using AES-256 encryption. It protects sensitive fields, files, and attachments while they're stored, complementing the TLS encryption that protects data in transit. The encryption is transparent to users: they read and write data normally, with the platform handling encryption and decryption automatically based on key management settings.

At-rest encryption is required by many compliance frameworks (HIPAA, PCI DSS, certain regulatory contexts) where sensitive data must be protected against database-level access. It also provides defense in depth: even if someone gained unauthorized database access, encrypted fields would be unreadable without the encryption keys. Platform Encryption supports standard fields, custom fields, files, attachments, and search indexes, with key management controlled by admins. There are some feature limitations on encrypted fields (certain formula functions, external lookups), so encryption planning should include testing for compatibility.

How Organizations Use Encrypted Data at Rest

•Coastal Health — Encrypts all PHI fields with Platform Encryption to satisfy HIPAA requirements. The encryption is transparent to clinical users while protecting data against unauthorized database access.
•Redwood Financial — Uses Encrypted Data at Rest on customer financial fields to satisfy banking regulator audit requirements.
•ShieldGuard Security — Audits encrypted field coverage quarterly to ensure new sensitive fields are added to the encryption policy.