Salesforce Encrypted Fields: Everything You Need to Know

Curious about Salesforce encrypted fields? Discover the ins and outs of field encryption for Salesforce with our comprehensive guide.

In 2021, the average cost of a data breach hit a 17 year high. Last year, every data breach cost companies approximately $3.86M per incident. The current average is roughly $4.24M per data breach.

Recently, representatives from top technology companies, including Google, Okta, Slack, and Salesforce, have created a partnership to develop a cybersecurity baseline.

This set of guidelines has been dubbed the Minimum Viable Security Product (MVSP).

Among other things, the creators of the MVSP recommend that you encrypt your data. Fortunately, Salesforce already has several mechanisms in place that facilitate the encryption process, including “Salesforce encrypted fields.”

What is an Encrypted Field in Salesforce?

In Salesforce, an encrypted field is a cybersecurity functionality that allows you to mask data. When your data is masked using field encryption, users without the appropriate permissions will not be able to view the data.

Conversely, team members who have a profile with “View Encrypted Data” enabled will have the ability to view encrypted information normally.

Salesforce encrypted fields have several limitations. For instance, the character limit on an encrypted field is often lower than the standard field length, with Case Comment as a prime example. In addition, some field encryptions can limit other features, like Einstein Lead Scoring can be limited if Lead fields are encrypted.

Encrypt Data in Custom Fields in Salesforce Classic

We were tempted to jump right into custom field encryption for Salesforce Lightning, but we wanted to throw in a section for those who are still running on Classic.

Classic Encryption is included for free for Classic, and you can always add on Shield Platform Encryption if you need additional features. The encryption options work the same way in Classic as they do in Lightning with a few small exceptions.

You can implement Salesforce Classic encryption without the Shield Platform Encryption add-on. The algorithm will be a 128-bit Advanced Encryption Standard instead of a 256-bit AES. If you want to try the add-on, it’s included in Salesforce Developer sandboxes. If you want to check out some additional differences between Classic Encryption and Slalesforce’s Platform Encryption, here’s a handy reference guide.

Encrypt Data in Custom Fields in Lightning Experience

When encrypting new data using custom fields in Salesforce Lightning, you will again have the option to choose between standard encryption or purchase the Shield add-on. If you opt to buy the add-on, navigate to the Platform Encryption Advanced Settings page in your “Setup” menu and enable deterministic encryption.

You will need to remain in the “Setup” menu to create your custom field.

  1. Locate the “Object Manager” tab and then choose your object.
  2. Then, click on the “Fields & Relationships” button.
  3. After doing so, you will be prompted to create or edit a custom field.
  4. Make sure that you select “Encrypted” when generating your field.


Encrypted data graphics

How do I Encrypt Field Data in Salesforce?

Salesforce has numerous encryption scheme fields that you can use to protect Salesforce data. However, setting up an encryption policy requires the Salesforce Shield Platform Encryption add-on. Of course, it is always best practice to test any change in a Salesforce sandbox, prior to implementing in production!

For many organizations, you can enable standard field encryption in a few minutes. To begin, ensure that your organization’s encryption key is active.

  1. If it is, then you can navigate to the “Setup” menu and use the Quick Find search box to query the phrase “Platform Encryption.” From the results, select “Encryption Policy.”
  2. When the next menu opens, select “Encrypt Fields” and click on the edit button. Select which fields that you would like to encrypt. Salesforce will encrypt all new data governed by that field with a probabilistic scheme.

Unfortunately, that scheme makes it difficult to perform data filtering. Therefore, we recommend switching to deterministic encryption.

You can encrypt both standard and custom objects. In addition, new files and attachments can be encrypted, though the indicator denoting a file and encryption will only be visible if you are using Salesforce Classic.

How do I Decrypt an Encrypted Field in Salesforce?

You can always decrypt a field by turning off Salesforce Encryption! This is needed if you want to integrate data with a legacy portal, use a Salesforce feature that does not support Shield Platform Encryption, or leverage specific Salesforce apps with this data like the Customer 360 Data Manager.

If, for example, you want to implement Salesforce’s Einstein Recommendation Engine in Marketing Cloud, this app does not support Shield Platform Encryption. Any data used with this app will need to be unencrypted. To stop encryption on a field, simply:

  1. Select the Encryption Policy in Setup
  2. Click Encrypt Fields
  3. Deselect the fields that you no longer want to encrypt. Please note that File encryption is either on or off, so you can’t turn it off for just specific fields!

If you want to read more about decrypting data, Salesforce’s Shield Platform Encryption Implementation Guide is a handy reference.

Can Salesforce Search Encrypted Fields?

Under all encryption types, a Salesforce user can search for data using the standard search functionality. Users are not prevented from finding and viewing data that they are authorized to view! SOQL use, however, can be limited on encrypted fields. If you selected the deterministic scheme when encrypting fields, you would still be able to search them in Salesforce. However, there are several limitations, even when using this scheme.

Specifically, Salesforce cannot use encrypted fields in list views or report filters. In addition, Salesforce does not support encrypted fields in some of SOQL clauses, such as WHERE, MAX(), or ORDER BY.

Key Use Cases for Encryption of Your Salesforce Data

Shield Platform Encryption adds an additional security layer to your Salesforce Organization by encrypting data at rest. Each company can bring their own key or use the key provided by Salesforce, providing flexibility for all industry verticals.

This helps each company meet compliance requirements while also providing a user friendly app with critical elements like search, data validation, and automation like Salesforce Flow. Some of the most common types of data that you can encrypt with Salesforce custom fields include:

  • Email addresses
  • Phone numbers
  • Written text
  • Text Area (standard, long, and rich)
  • URLs
  • Date/Time
  • Credit card numbers
  • SSNs
  • Addresses

The more custom fields you encrypt, the more difficult it will be to query your data. Most organizations only encrypt the most important data types, such as SSNs, credit card numbers, and email addresses.

Salesforce Data Governance From CapStorm

While Salesforce encrypted fields and Salesforce Shield allows you to control data within the Salesforce platform, these security controls are limited to data utilization on-platform. Data controls do not extend to data utilization as data is imported and exported out of Salesforce.

To remedy this issue, Capstorm has created Govern. This solution is designed for organizations that use Salesforce but must also adhere to multiple complex regulatory requirements. Our technology complements existing Salesforce Shield capabilities while also creating an auditable chain of custody for compliance data.

Contact us today if you would like to learn more about Govern or our full suite of Salesforce solutions. You can also schedule a free demo.

Rebecca Gray

Rebecca Gray

Rebecca is 5 year Salesforce fanatic and certified Salesforce Admin, Service Cloud Consultant, Sales Cloud Consultant, and App Builder. She volunteers in the Salesforce community, leading the Saint Louis, MO Salesforce Admin Group and is a former Lightning Champion. In her day job, Rebecca supports Customer Success, helping CapStorm customers achieve their goals for Salesforce data management.

About CapStorm

CapStorm is the most technologically advanced Salesforce data management platform on the market. Billions of records per day flow through CapStorm software, and our solutions are used in every industry from credit cards, telecom providers, insurance agencies, global banks and energy providers.

Recent Posts

Follow Us

Become a CapStorm Insider

Become a CapStorm Insider

Subscribe to the CapStorm Forecast

This field is for validation purposes and should be left unchanged.