Definition
Encryption Settings is a Setup page where administrators configure Shield Platform Encryption to encrypt sensitive data at rest in the Salesforce database. Administrators can select which fields, files, and attachments to encrypt, manage encryption keys, and control encryption policies across the org.
Real-World Example
The security admin at FinServe Bank enables Shield Platform Encryption on the Social Security Number and Account Number custom fields. She generates a tenant secret, which combines with Salesforce's master secret to create unique encryption keys. Now these fields are encrypted at rest in the database and appear masked to users without the "View Encrypted Data" permission.
Why Encryption Settings Matters
Encryption Settings is the administrative hub for Shield Platform Encryption, where security administrators select exactly which standard and custom fields, files, and attachments are encrypted at rest in the Salesforce database. Beyond field selection, it provides controls for generating and managing tenant secrets, configuring encryption policies, and setting up the View Encrypted Data permission that determines who can see the unmasked values. This granular control is essential because encrypting everything is neither necessary nor practical; organizations must strategically choose which data elements warrant encryption based on sensitivity and regulatory requirements.
As organizations refine their security posture and face expanding regulatory requirements, Encryption Settings becomes the operational control plane for data protection decisions. Encrypting too few fields leaves sensitive data exposed to compliance risk, while encrypting too many fields can impact report performance, search functionality, and certain platform features that don't support encrypted fields. A thoughtful encryption strategy involves classifying data by sensitivity, mapping classification to encryption decisions, and regularly reviewing settings as new fields are added or regulations change. Organizations that treat Encryption Settings as a set-and-forget configuration often discover gaps during audits when new sensitive fields were added without encryption.
How Organizations Use Encryption Settings
- FinServe Bank — FinServe Bank's security admin enabled Shield Platform Encryption on Social Security Number and Account Number custom fields. She generated a tenant secret that combines with Salesforce's master secret to create unique encryption keys. Users without the View Encrypted Data permission see masked values, while compliance officers with the permission see actual data. This satisfied their OCC examination requirements.
- HealthFirst Medical Group — HealthFirst Medical configured Encryption Settings to protect patient diagnosis codes, insurance IDs, and treatment notes across 12 custom fields. They created a dedicated permission set for the View Encrypted Data privilege and assigned it only to clinicians and billing staff who need unmasked access, limiting exposure to fewer than 30 of their 500 Salesforce users.
- Platinum Credit Services — Platinum Credit Services uses Encryption Settings to encrypt file attachments on Opportunity records where customers upload financial documents. By enabling encryption for Salesforce Files, every uploaded bank statement, tax return, and pay stub is encrypted at rest. Their risk team audits the encryption coverage quarterly by reviewing the Encryption Statistics dashboard.