Salesforce Encrypted Field
If there is a need to store sensitive data on an Object in Salesforce, that should only be viewed by certain users, then Encrypted Fields is the way to go.
What are Encrypted Fields?
Salesforce introduced Encrypted Fields in the Winter’08 release. These are custom fields that are created in a similar way as any other custom field is created on an object.
The data type selected for an encrypted field is Text (Encrypted).
Encrypted Text Fields Restrictions:
- Encrypted text fields can’t be unique, have an external ID, or have default values.
- Encrypted text fields aren’t available for mapping leads to other objects.
- Encrypted text fields are limited to 175 characters because of the encryption algorithm.
- Encrypted text fields aren’t available for use in filters such as list views, reports, roll-up summary fields, and rule filters.
- Encrypted text fields can’t be used to define report criteria, but they can be included in report results.
- Encrypted text fields aren’t searchable, but they can be included in search results.
- Encrypted text fields aren’t available for Connect Offline, Salesforce for Outlook, lead conversion, workflow rule criteria or formulas, formula fields, outbound messages, default values, and Web-to-Lead and Web-to-Case forms.
Things to Remember when Creating an Encrypted Field
- Encrypted fields are encrypted with 128-bit master keys and use the Advanced Encryption Standard (AES) algorithm.
- You can archive, delete, and import your master encryption key. To enable master encryption key management, contact Salesforce.
- You can use encrypted fields in email templates but the value is always masked regardless of whether you have the View Encrypted Data permission.
- If you have the View Encrypted Data permission and you grant login access to another user, the user can see encrypted fields in plain text.
- Only users with the View Encrypted Data permission can clone the value of an encrypted field when cloning that record.
- Only the <apex:outputField> component supports presenting encrypted fields in Visualforce pages.
- Encrypted fields are editable regardless of whether the user has the View Encrypted Data permission. Use validation rules, field-level security settings, or page layout settings to prevent users from editing encrypted fields.
- You can still validate the values of encrypted fields using validation rules or Apex. Both work regardless of whether the user has the View Encrypted Data permission.
- To view encrypted data unmasked in the debug log, the user must also have the View Encrypted Data in the service that Apex requests originate from. These requests can include Apex Web services, triggers, workflows, inline Visualforce pages (a page embedded in a page layout), and Visualforce email templates.
- Existing custom fields can’t be converted into encrypted fields nor can encrypted fields be converted into another data type. To encrypt the values of an existing (unencrypted) field, export the data, create an encrypted custom field to store that data, and import that data into the new encrypted field.
- Mask Type isn’t an input mask that ensures the data matches the Mask Type. Use validation rules to ensure that the data entered matches the mask type selected.
- Use encrypted custom fields only when government regulations require it because they involve more processing and have search-related limitations.
How are Classic Encrypted Fields Different to Salesforce Shield Encryption?
Salesforce Shield Platform Encryption protects Salesforce data at rest using either a generated or an uploaded encryption key whereas Salesforce Classic Encryption protects data from your existing Salesforce users by providing masking capabilities, which allow you to hide the original data with random characters.
| FEATURE | CLASSIC ENCRYPTION | PLATFORM ENCRYPTION |
| Pricing | Included in base user license | Additional fee applies |
| Encryption at Rest | Available | Available |
| Native Solution (No Hardware or Software Required) | Available | Available |
| Encryption Algorithm | 128-bit Advanced Encryption Standard (AES) | 256-bit Advanced Encryption Standard (AES) |
| HSM-based Key Derivation | Not Available | Available |
| Manage Encryption Keys Permission | Not Available | Available |
| Generate, Export, Import, and Destroy Keys | Available | Available |
| PCI-DSS L1 Compliance | Available | Available |
| Masking | Available | Not Available |
| Mask Types and Characters | Available | Not Available |
| View Encrypted Data Permission Required to Read Encrypted Field Values | Available | Not Available |
| Encrypted Standard Fields | Not Available | Available |
| Encrypted Attachments, Files, and Content | Not Available | Available |
| Encrypted Custom Fields | Dedicated custom field type, limited to 175 characters | Available |
| Encrypt Existing Fields for Supported Custom Field Types | Not Available | Available |
| Search (UI, Partial Search, Lookups, Certain SOSL Queries) | Not Available | Available |
| API Access | Available | Available |
| Available in Workflow Rules and Workflow Field Updates | Not Available | Available |
| Available in Approval Process Entry Criteria and Approval Step Criteria | Not Available | Available |
Conclusion
With Shield Platform Encryption, you can encrypt a variety of widely used standard fields, along with some custom fields and many kinds of files. Shield Platform Encryption also supports person accounts, cases, search, approval processes, and other key Salesforce features. Classic encryption lets you protect only a special type of custom text field, which you create for that purpose.
