Salesforce offers a couple of encryption options to add extra protection to your Salesforce platform. Let’s dive into the differences between Salesforce Classic encryption and Salesforce Shield Platform Encryption to understand which one is right for your organization.
Salesforce Classic Encryption protects data from your existing Salesforce users by providing masking capabilities, which allow you to hide the original data with random characters. This out-of-the-box functionality can be used to encrypt custom fields with 128-bit Advanced Encryption Standard (AES). Subsequently, if users are assigned the correct permission set, they will only be able to see the encrypted data.
Advantages of Salesforce Classic Encryption:
Disadvantages of Salesforce Classic Encryption:
The encrypted fields in your backups will be dependent on the authenticated user who is performing the export. If the system admin who is performing the weekly export has the “View Encrypted Data” permission, then the encrypted field will be backed up in its decrypted format. If that user does not have the correct permission, the backups will be shown in the masked format, so that user will be pulling random data rather than the actual data.
Salesforce Shield Platform Encryption protects Salesforce data at rest using either a generated or an uploaded encryption key. Shield Platform Encryption provides the additional option of Bring Your Own Key (BYOK), allowing customers to manage their own encryption keys. Shield Platform Encryption is an additional feature that provides 256-bit encryption with a broader range of core Salesforce functionality, including search, lookups, validation rules, and Chatter. No masking is applied to Shield encrypted fields, so visibility needs to be controlled with field-level security.
Advantages of Salesforce Shield Platform Encryption Provides:
Disadvantages of Salesforce Shield Encryption:
All Shield-encrypted fields will be exported in a decrypted format. In addition to backing up your Salesforce data, it is recommended that you back up your tenant secret key. In the case that you accidentally destroy a tenant secret, Salesforce is unable to retrieve it for you and you will lose all access to data encrypted with that key.
If you decide to go with Shield Platform Encryption, consider using a third-party backup service, like OwnBackup, to ensure you never lose access to your data. OwnBackup is the perfect complement to Salesforce Shield as it performs daily automated backups of all of your data and metadata, including your tenant secrets. This way, you will never lose access to the encrypted data that is critical to your business operations.