Encryption Settings
Encryption Settings is the Salesforce Setup page where administrators manage Shield Platform Encryption: tenant secrets, field-level encryption assignments, file encryption, search index encryption, and key rotation.
Definition
Encryption Settings is the Salesforce Setup page where administrators manage Shield Platform Encryption: tenant secrets, field-level encryption assignments, file encryption, search index encryption, and key rotation. The page is the single control plane for everything Shield-related in the org. It is visible only when the Shield Platform Encryption license is provisioned; without the license, the equivalent page shows only the default Salesforce-managed encryption status and provides no configuration options.
The page is split into sub-tabs covering Key Management (tenant secrets and rotation), Advanced Encryption Settings (event monitoring and feature toggles), Encryption Statistics (counts and progress of encryption jobs), and the specific encryption assignment screens for fields, files, and other data types. Administrators move between these tabs to enable a field for encryption, run a mass encryption job, rotate the tenant secret, and verify encryption coverage across the org.
Navigating the Encryption Settings page
Key Management tab
Key Management is where tenant secrets live. The page lists all tenant secrets the org has had: the current active one, any archived ones, and any destroyed ones. From here you generate a new tenant secret, import a BYOK key, configure Cache-Only Key Service endpoints, and trigger rotation. Most administrators visit this tab only during initial setup and during scheduled rotations.
Encrypted Fields screen
The Encrypted Fields screen lists every field in the org that supports Shield encryption and shows which are currently encrypted, which scheme (deterministic or probabilistic), and the encryption status (encrypted, in-progress, error). Adding a field to the encrypted list takes seconds; the actual encryption of existing records runs as a background job that can take hours for large objects. The screen is the master inventory of what Shield protects in your org.
Encryption Statistics
Encryption Statistics shows progress for in-flight encryption jobs and counts of encrypted records by object and field. After enabling encryption on a high-volume field, the statistics page confirms that the background job is processing existing data and gives a percentage complete. Use it to declare rollout complete: only after the statistics show 100% encrypted is the field fully under Shield protection.
Files and Attachments encryption
Separate from field-level encryption, the page has a toggle for Salesforce Files and Attachments encryption. Enabling encrypts all file content with the tenant secret. The toggle is org-wide: once on, every new file is encrypted, and a background job encrypts existing files. There is no per-file or per-folder selection. Once enabled, disabling requires decrypting all existing files first, which is a long-running operation.
Search index encryption
Salesforce maintains a search index for full-text search across records. By default the index is plaintext; for stricter compliance, the index can be encrypted. The toggle is on the Advanced Encryption Settings tab. Encrypting the search index breaks some advanced search behaviors (wildcards, stemming) and adds latency to search operations; enable only if compliance explicitly requires it.
Permissions to manage encryption
Two permissions gate access to the page: View Setup and Configuration (basic visibility) and Manage Encryption Keys (full key operations including rotation and destruction). Manage Encryption Keys is the high-stakes permission and should be assigned to a small set of named individuals. Audit who has it quarterly; an over-permissive permission set is the single largest risk vector around Shield.
Event monitoring integration
The Advanced Encryption Settings tab includes toggles for encrypting event monitoring data (login history, API events, real-time events). For orgs using Event Monitoring with Shield, this is the path to ensure the monitoring data itself is encrypted at rest. Without it, sensitive metadata about user behavior remains in unencrypted storage even when the source data is encrypted.
Configure Shield through Encryption Settings
Working in Encryption Settings is a sequence of tabs visited in order: Key Management first, then encryption assignment, then statistics to confirm completion. The steps below cover the full first-time setup.
- Confirm Shield license
Setup > Company Settings > Company Information. Confirm Shield Platform Encryption is provisioned. Without it, the page is read-only.
- Open Encryption Settings
Setup > Encryption Settings. The page opens to the Key Management tab by default.
- Generate or import tenant secret
On Key Management, click Generate Tenant Secret (for Salesforce-managed mode) or Import (for BYOK). For Cache-Only, configure the external KMS endpoint in Advanced Encryption Settings first.
- Encrypt target fields
Click Encrypted Fields tab. For each field to encrypt, click Edit, check Encrypted, choose scheme (Probabilistic or Deterministic), and save.
- Enable file encryption (if needed)
On Advanced Encryption Settings, check Encrypt Files and Attachments. The background job starts immediately; existing files encrypt over hours to days.
- Monitor Encryption Statistics
Open Encryption Statistics. Track progress percentages for each encrypted field. Wait until 100% before considering rollout complete.
- Assign Manage Encryption Keys permission
Permission Set > Manage Encryption Keys. Assign to a small named group of trusted admins. Audit assignment quarterly.
Where tenant secrets are generated, imported, rotated, and destroyed.
The master inventory of encrypted fields. Enable or disable per field; choose probabilistic or deterministic scheme.
Org-wide toggle for file encryption. Once on, includes existing and future files.
Strict compliance feature that encrypts the search index. Breaks wildcard and stemming search.
Encrypts event monitoring data at rest. Pairs with the Event Monitoring product for end-to-end encryption.
- The page is only visible with a Shield license. Plan ahead: without the license you cannot test the configuration in advance.
- Field-level encryption schedules a background job. Encrypting existing records takes hours for large objects; monitor Encryption Statistics to confirm completion.
- Files encryption is org-wide and includes legacy files. Disabling requires a full decrypt operation that is long-running and operationally expensive.
- Search index encryption breaks advanced search behaviors. Test wildcard and full-text queries before going live in a user-facing org.
- Manage Encryption Keys is the permission for destruction. Mis-assignment can lead to accidental data loss; audit quarterly and require multi-party approval for any destructive action.
Trust & references
Straight from the source - Salesforce's reference material on Encryption Settings.
- Set Up Your Encryption PolicySalesforce Help
About the Author
Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.
Test your knowledge
Q1. In which area of Salesforce would you typically find Encryption Settings?
Q2. What is the primary benefit of Encryption Settings for Salesforce administrators?
Q3. Why is understanding Encryption Settings important for Salesforce admins?
Discussion
Loading discussion…