Salesforce Encrypted Fields

Salesforce Encrypted Field

If there is a need to store sensitive data on an Object in Salesforce, that should only be viewed by certain users, then Encrypted Fields is the way to go.

What are Encrypted Fields?

Salesforce introduced Encrypted Fields in the Winter’08 release. These are custom fields that are created in a similar way as any other custom field is created on an object.

The data type selected for an encrypted field is Text (Encrypted).

Salesforce Encrypted Field

Encrypted Text Fields Restrictions:

  • Encrypted text fields can’t be unique, have an external ID, or have default values.
  • Encrypted text fields aren’t available for mapping leads to other objects.
  • Encrypted text fields are limited to 175 characters because of the encryption algorithm.
  • Encrypted text fields aren’t available for use in filters such as list views, reports, roll-up summary fields, and rule filters.
  • Encrypted text fields can’t be used to define report criteria, but they can be included in report results.
  • Encrypted text fields aren’t searchable, but they can be included in search results.
  • Encrypted text fields aren’t available for Connect Offline, Salesforce for Outlook, lead conversion, workflow rule criteria or formulas, formula fields, outbound messages, default values, and Web-to-Lead and Web-to-Case forms.

Things to Remember when Creating an Encrypted Field

  • Encrypted fields are encrypted with 128-bit master keys and use the Advanced Encryption Standard (AES) algorithm.
  • You can archive, delete, and import your master encryption key. To enable master encryption key management, contact Salesforce.
  • You can use encrypted fields in email templates but the value is always masked regardless of whether you have the View Encrypted Data permission.
  • If you have the View Encrypted Data permission and you grant login access to another user, the user can see encrypted fields in plain text.
  • Only users with the View Encrypted Data permission can clone the value of an encrypted field when cloning that record.
  • Only the <apex:outputField> component supports presenting encrypted fields in Visualforce pages.
  • Encrypted fields are editable regardless of whether the user has the View Encrypted Data permission. Use validation rules, field-level security settings, or page layout settings to prevent users from editing encrypted fields.
  • You can still validate the values of encrypted fields using validation rules or Apex. Both work regardless of whether the user has the View Encrypted Data permission.
  • To view encrypted data unmasked in the debug log, the user must also have the View Encrypted Data in the service that Apex requests originate from. These requests can include Apex Web services, triggers, workflows, inline Visualforce pages (a page embedded in a page layout), and Visualforce email templates.
  • Existing custom fields can’t be converted into encrypted fields nor can encrypted fields be converted into another data type. To encrypt the values of an existing (unencrypted) field, export the data, create an encrypted custom field to store that data, and import that data into the new encrypted field.
  • Mask Type isn’t an input mask that ensures the data matches the Mask Type. Use validation rules to ensure that the data entered matches the mask type selected.
  • Use encrypted custom fields only when government regulations require it because they involve more processing and have search-related limitations.

How are Classic Encrypted Fields Different to Salesforce Shield Encryption?

Salesforce Shield Platform Encryption protects Salesforce data at rest using either a generated or an uploaded encryption key whereas Salesforce Classic Encryption protects data from your existing Salesforce users by providing masking capabilities, which allow you to hide the original data with random characters.

Pricing Included in base user license Additional fee applies
Encryption at Rest Available Available
Native Solution (No Hardware or Software Required) Available Available
Encryption Algorithm 128-bit Advanced Encryption Standard (AES) 256-bit Advanced Encryption Standard (AES)
HSM-based Key Derivation Not Available Available
Manage Encryption Keys Permission Not Available Available
Generate, Export, Import, and Destroy Keys Available Available
PCI-DSS L1 Compliance Available Available
Masking Available Not Available
Mask Types and Characters Available Not Available
View Encrypted Data Permission Required to Read Encrypted Field Values Available Not Available
Encrypted Standard Fields Not Available Available
Encrypted Attachments, Files, and Content Not Available Available
Encrypted Custom Fields Dedicated custom field type, limited to 175 characters Available
Encrypt Existing Fields for Supported Custom Field Types Not Available Available
Search (UI, Partial Search, Lookups, Certain SOSL Queries) Not Available Available
API Access Available Available
Available in Workflow Rules and Workflow Field Updates Not Available Available
Available in Approval Process Entry Criteria and Approval Step Criteria Not Available Available


With Shield Platform Encryption, you can encrypt a variety of widely used standard fields, along with some custom fields and many kinds of files. Shield Platform Encryption also supports person accounts, cases, search, approval processes, and other key Salesforce features. Classic encryption lets you protect only a special type of custom text field, which you create for that purpose.