Salesforce Encryption: Levels of Encryption & How They Work

Below, our experts discuss two encryption solutions. We’ll also highlight the differences between Salesforce data at rest encryption and Salesforce data in transit encryption.
Cloudy sky header image

In 2020 alone, there were 1,001 data breaches in the United States. The hackers that perpetrated these breaches gained access to the confidential data of over 155.8 million people. The companies that were the victims of these data breaches faced irreparable damage to their reputations. These types of attacks can often attribute their success to a lack of sufficient cybersecurity protocols.

As one of the most widely used customer relationship management platforms in the world, Salesforce is a prime target for these attacks. Businesses across virtually every industry rely on Salesforce for maintaining positive interactions with clients and storing consumer data.

The Salesforce platform is overflowing with all of the types of data that hackers love. Social Security numbers, credit card numbers, addresses, and more can be obtained by gaining access to a company’s Salesforce data.
If your business uses Salesforce and its massive suite of applications, then it is vital that you understand the difference between the platform’s two types of encryption.

Below, our experts discuss these two encryption solutions. We’ll also highlight the differences between Salesforce data at rest encryption and Salesforce data in transit encryption.

What Is Salesforce Encryption and Why Does Encryption Matter?

In the general sense, Salesforce data encryption is the process of preventing unauthorized users from accessing your data. When data is encrypted, it is coded using a key. The only people that can decrypt the data are those with the key.

Hypothetically, it is possible for people to decipher the data without the key. However, it is an extremely difficult process that requires a vast number of technological resources. Therefore, Salesforce encryption is one of the most effective ways to protect your data.

Salesforce encryption can use one of two different schemes. The default scheme of Salesforce Classic encryption and Shield Platform is known as “probabilistic encryption.”

The probabilistic encryption algorithm uses random patterns when encoding data. This means that the same text will be translated to a unique cipher text every time that it is encrypted.

The downside to a probabilistic scheme is that it is so complex that companies can no longer filter their encrypted data.

Salesforce is also capable of encrypting data using a deterministic encryption scheme. Most organizations prefer this method, as it allows them to reap the benefits of data filtering — but more on that a bit later.

There are not only different Salesforce data encryption methods, but there are also varying types of data that must be encrypted. The two primary types of Salesforce data that must be encrypted are “data at rest” and “data in transit.”

What Is Salesforce Data at Rest Encryption?

Salesforce data at rest encryption is the process of encoding your data while it is stationary.

Data at rest encryption adds an extra layer of protection for your data in the event that all other defenses are breached. If a hacker is able to successfully make it past your firewall and gain access to your network, data at rest encryption prevents them from acquiring any usable information.

What Is Salesforce Data in Transit Encryption?

Data in transit encryption is the more widely known type of encryption. This type of encryption is designed to protect data when it is being sent or received.

However, data in transit encryption offers no protection for your confidential information when it is “at rest” or simply being stored on the server.

Due to the significant rise in breaches and cybercrime over the last decade, data in transit encryption alone is no longer an adequate way to protect data. By deploying data in transit and data at rest encryption protocols for your Salesforce resources, you can protect your information at all stages of its lifecycle.

Laptop computer with encryption lock over various types of data

Classic Encryption vs. Shield Platform Encryption

Salesforce offers two primary encryption solutions for its clients. The first is known as Classic Salesforce encryption. This is the standard encryption functionality that is included with a basic licensing agreement.

The more robust option is known as Salesforce Shield Platform Encryption. This service is available to all Salesforce clients, but to access it, you must pay an extra fee.

Before you select an encryption solution for your business, it is important that you understand the core differences between the two.

How Shield Platform Encryption Works

Salesforce Shield Platform Encryption is a 256-bit encryption solution. The technology allows you to “Bring Your Own Key,” which means that you can manage your encryption keys instead of relying on Salesforce to do so.
The BYOK feature is appealing to organizations that handle extremely sensitive data and are subject to stringent regulatory requirements.

Shield Platform Encryption protects data while it is at rest. It does not provide a masking feature for key fields, which means that you must deploy a Field Level Security (FLS) solution.

Shield Platform Encryption is meant to supplement other cybersecurity efforts, not act as a replacement for them.

Shield Platform Encryption allows you to encrypt standard fields, files, attachments, and custom fields. You can use this encryption solution in formula fields and workflows as well. However, it does not function well with some third-party applications.

Use Cases for Classic Encryption

Salesforce Classic Encryption’s primary use is to mask sensitive data. It is designed to protect your data against users operating on the Salesforce platform. Specifically, Classic Encryption can conceal data such as SSNs and credit card numbers.

The downside to Salesforce Classic Encryption is that it cannot be used in formula fields or workflows. Furthermore, you must configure permission sets and profiles manually.


Is Salesforce Encrypted?

Yes, Salesforce has encryption solutions for your data while it is in transit and at rest. These various encryption strategies are designed to protect your data at all times.

The Salesforce Classic Encryption solution is a standard part of any Base License. However, the more robust Salesforce Shield Platform comes at an additional cost.

What Type of Encryption Does Salesforce Use?

Salesforce Classic Encryption uses a 128-bit Advanced Encryption Standard (AES). This solution allows you to mask custom fields, which protects your data from internal Salesforce clients.

Salesforce Classic is an excellent solution for concealing sensitive information, such as credit card numbers.
Salesforce’s Shield Platform Encryption uses 256-bit encryption. This more comprehensive encryption solution includes additional functionalities, such as validation rules, search, and more.

How Does Salesforce Encryption Work?

Salesforce encryption is designed to protect data while it is at rest. Traditionally, encryption tools would only protect data while it was in transit. While this method has its benefits, the increase in cyberattacks has made it necessary to safeguard data at all times, including when it is passively stored in the cloud.

Salesforce encryption uses an HSM-based key derivation system. Your organization will have its own data encryption key, which will never be shared or saved across other organizations. Your unique key material will encrypt and decrypt documents as needed.

Specifically, Salesforce uses a probabilistic encryption protocol. Probabilistic encryption means that the algorithm relies on random patterns during the encoding process. The algorithm could encrypt the same text repeatedly, but it will generate a unique cipher text each time.

What Is Salesforce Data Encryption at Rest?

According to Salesforce, their data encryption at rest functionality “encrypts the underlying files stored in the file system.” This feature presents data as plain text while simultaneously encrypting the underlying file system.

The data encryption at rest functionality may have minimal impacts on performance, as it requires resources to decrypt and encrypt data.

Does Salesforce Shield Platform Encryption Back Up My Data Daily? Do the Rules Continue when I Extract Data from Salesforce?

The Salesforce Shield Platform Encryption does not handle the backup process. You must define your backup parameters using a data backup solution, such as the one offered by Salesforce. Instead, it encrypts files, custom fields, and attachments.

However, Salesforce Shield Platform encryption will have an impact on your data extraction.

When you extract data, all Shield-encrypted files will be exported in an unencrypted format. The Salesforce Shield Platform Encryption is designed specifically for protecting Salesforce data while it is “at rest.”

If you want to ensure that your data backups are encrypted, then you will need to implement the Backup and Restore Salesforce app.

When you leverage Salesforce encryption, data backup, and integration & reporting solutions, you can make sure that your organization gets the most out of its Salesforce data. You can also address key vulnerabilities and protect your valuable data.

Salesforce Encryption and Data Filtering from CapStorm

If your organization wants to better protect data as it enters and leaves the Salesforce ecosystem, CapStorm can help. Our organization provides comprehensive Salesforce solutions, including Salesforce backup and recovery and advanced Salesforce data analytics and reporting solutions.

We are the only company in the market that offers Salesforce data extraction while maintaining 100% referential integrity. This means that you can avoid the common problems associated with probabilistic encryption while also retaining your ability to filter data efficiently.

In addition, we are the only self-hosted platform, which means that our solutions install behind your firewall, giving you complete control over your business’s valuable data.

Want to learn more? Contact us today. We can connect you with one of our knowledgeable experts or set you up with a demo.

Kasey Fletcher

Kasey Fletcher

Kasey is a certified Salesforce Administrator with 4+ years supporting both large and small Salesforce implementations. She is passionate about finding the best ways to make each person's Data work for them. There is nothing better than working with customers to help solve their Salesforce data roadblocks.

About CapStorm

CapStorm is the most technologically advanced Salesforce data management platform on the market. Billions of records per day flow through CapStorm software, and our solutions are used in every industry from credit cards, telecom providers, insurance agencies, global banks and energy providers.

Recent Posts

Follow Us

Become a CapStorm Insider

Become a CapStorm Insider

Subscribe to the CapStorm Forecast

This field is for validation purposes and should be left unchanged.