Salesforce Classic vs. Salesforce Shield Platform Encryption: Which One Should You Use?

Salesforce offers a couple of encryption options to add extra protection to your Salesforce platform. Let’s dive into the differences between Salesforce Classic encryption and Salesforce Shield Platform Encryption to understand which one is right for your organization.

Salesforce Classic Encryption

Salesforce Classic Encryption protects data from your existing Salesforce users by providing masking capabilities, which allow you to hide the original data with random characters. This out-of-the-box functionality can be used to encrypt custom fields with 128-bit Advanced Encryption Standard (AES). Subsequently, if users are assigned the correct permission set, they will only be able to see the encrypted data.

Advantages of Salesforce Classic Encryption:

• Is included in Base License cost of Salesforce.
• Provides masking of custom fields to protect against internal Salesforce users seeing specific data.
• Is excellent for masking sensitive data, such as credit card or SSN fields.

Disadvantages of Salesforce Classic Encryption:

• Can only encrypt custom fields.
• Limits custom field encryption to 175 characters.
• Needs profiles and permission sets to be configured for Salesforce users.
• Cannot be used in workflows or formula fields.

How Does Salesforce Classic Encryption Affect Your Weekly Export Backups?

The encrypted fields in your backups will be dependent on the authenticated user who is performing the export. If the system admin who is performing the weekly export has the “View Encrypted Data” permission, then the encrypted field will be backed up in its decrypted format. If that user does not have the correct permission, the backups will be shown in the masked format, so that user will be pulling random data rather than the actual data.

Salesforce Shield Platform Encryption

Salesforce Shield Platform Encryption protects Salesforce data at rest using either a generated or an uploaded encryption key. Shield Platform Encryption provides the additional option of Bring Your Own Key (BYOK), allowing customers to manage their own encryption keys. Shield Platform Encryption is an additional feature that provides 256-bit encryption with a broader range of core Salesforce functionality, including search, lookups, validation rules, and Chatter. No masking is applied to Shield encrypted fields, so visibility needs to be controlled with field-level security.

Advantages of Salesforce Shield Platform Encryption Provides:

• The ability to encrypt standard fields, custom fields, files, and attachments.
• Can be used in workflows and formula fields.
• Offers a higher level of encryption (256-bit AES) than Salesforce Classic Encryption.

Disadvantages of Salesforce Shield Encryption:

• There is an additional cost.
• Does not provide masking, so Field Level Security (FLS) needs to be set to control visibility of fields.
• Does not work with certain third-party apps.
• Includes additional considerations that can be found here on Salesforce’s Help Center.

How Does Shield Platform Encryption Affect Your Weekly Export Backups?

All Shield-encrypted fields will be exported in a decrypted format. In addition to backing up your Salesforce data, it is recommended that you back up your tenant secret key. In the case that you accidentally destroy a tenant secret, Salesforce is unable to retrieve it for you and you will lose all access to data encrypted with that key.

If you decide to go with Shield Platform Encryption, consider using a third-party backup service, like Own, to ensure you never lose access to your data. Own (formerly OwnBackup) is the perfect complement to Salesforce Shield as it performs daily automated backups of all of your data and metadata, including your tenant secrets. This way, you will never lose access to the encrypted data that is critical to your business operations.