SaasGuru Logo

Salesforce Encryption: Salesforce Shield vs Classic Encryption

Table of Contents

Salesforce Encryption: Salesforce Shield vs Classic Encryption

There is a well-known quote saying, “Data is the new oil,” which happens to be the most prophetic saying nowadays when the entire industry ecosystem is undergoing a digital transformation. Imagine a data breach in a financial or health cloud sector; we could visualize the amount of damage it creates to an organization’s trust and reputation. It’s paramount to keep all customer information safe in a digital system, especially sensitive data such as payment information, identification information, health records, etc. In a Saas world, the data security concern raises one bar above as the server is not being handled on company premises, so data privacy and data security have become inevitable in any industry.

To ensure that the data is not being stolen or lost and are not reached by the wrong hand, it’s pertinent to point out that there are multiple legal acts in different territories of the world. For example, California Consumer Privacy Act (CCPA), the Health Insurance Portability and Accountability Act (HIPAA), the European Union’s General Data Protection Regulation (GDPR), etc. Salesforce security features follow and adhere to those rules.

Types of Encryptions in Salesforce for Data Protection

There are 2 types of encryption available in Salesforce for data protection – Classic Encryption & Shield Platform Encryption. 

Classic Encryption features will be available with the base salesforce product. You do not need to spend extra cost for the same. However, license purchase is required in all orgs except developer edition org for Shield Encryption. Compared with Classic Encryption, the Shield has come up with an additional layer of privacy and security for your data. The bottom table depicts the advantages of Shield over classic.

Types of Encryptions in Salesforce for Data Protection

What Is Shield, and How Does It Work?

Salesforce Shield Data Encryption is an additional layer of protection to ensure that all organization data are safe and locked in Salesforce servers. In Platform Encryption, the important notion is to form the most secure key, which will do the scrambling and unscrambling of customer data. 

Become a Salesforce Certified Professional

Use Coupon Code BLOG20 to avail flat 20% discount on saasguru Programs.

The key derivation process is a highly complex algorithm in which it clubs the master secret with the tenant secret. The master secret is generated by Salesforce (Three times a year, with each release). It is created by a dedicated processor called a Hardware Security Module (HSM), specially designed for creating strong and secure keys. The customer organization can create a unique tenant key. Salesforce combines both master and tenant keys to form the final data encryption key.

Key Features of Shield Platform Encryption

  • You can encrypt both standard fields as well as custom fields. For example, you can encrypt Standard Fields of account Objects such as account name, account site, billing address (encrypts billing street and billing city), description, fax, phone, shipping address (encrypts shipping street and shipping city), and website other than custom fields.
  • You can encrypt custom fields in a managed package if the installed managed package supports Shield Platform Encryption. 
  • Files and attachments can be encrypted. For example, files attached to emails, feeds, records, knowledge articles, and chatter posts can be encrypted. Also, images included in rich text area fields can be protected with Encryption.
  • Salesforce provides an option that the customer organization can create their final data encryption key to encrypt and decrypt the data. Hence Shield Platform Encryption can be coined as customer-driven Encryption.
  • Easy out-of-the-box set-up and configuration

Types of Shield Platform Encryptions

There are two types of Shield Platform Encryption schemes – deterministic Encryption and Probabilistic Encryption.

Types of Shield Platform Encryptions


Deterministic Encryption

  • Users can filter records in reports and list views if they select Deterministic Encryption. However, the underlying fields will be encrypted.
  • Users can use field conditions in the WHERE clause of SOQL queries.

Deterministic Encryption schemes can be case-sensitive Deterministic Encryption or case-insensitive Deterministic Encryption.

Probabilistic Encryption

  • Shield Platform Encryption uses Probabilistic Encryption by default.
  • Each piece of data will get converted into random ciphertext every time the data is encrypted. This strengthens Encryption. However, if there is any string comparison business logic that needs to be implemented, this Encryption won’t give you the proper result. 
  • You cannot use it in the WHERE clause of SOQL queries. For example, you need to run a SOQL query in custom apex code against the Contact object, WHERE FirstName = ‘Anna.’ You can’t run the query if the first name field is encrypted with Probabilistic Encryption. Because the first name, “Anna,” turned out to be a different ciphertext than the earlier encrypted string value.
  • Filtering is not possible.

How to Set Up Shield Platform Encryption?

Shield Encryption is a quick setup and easily configurable activity in your org.

Get your Salesforce Certifications on the first go

Use Coupon Code BLOG20 to avail flat 20% discount on saasguru Programs.

  • First, you need to create a permission set and name it at your convenience. E.g., Key Manager
  • In system permissions, enable the Customize Application and Manage Encryption Keys permissions.
  • Add these permission sets to authorized user accounts.
  • Generate a tenant secret (Quick Find box, enter ‘Platform Encryption’ –> Select ‘Key Management’–> Generate ‘Tenant Secret’)
  • Export and Import Tenant Secrets: Export tenant secret is essential because if you lose access to the encrypted data, you can import the earlier uploaded version to get back access. This can be done from the Platform Encryption page. Both export and import features are available there.
  • Now, to encrypt fields, you need to navigate to Platform Encryption –> Encryption Policy –> Encrypt Fields –> Edit the fields you want to encrypt.

Summing Up

When the demand for data security increases, the necessity for powerful tools like Shield Encryption are also a must to have. The solution not only protects data but also protects the trust and reputation of the organization. If you need to learn more about Salesforce Encryptions and are looking for the right resource, join our saasguru Slack Community, discuss with the industry experts, and get rid of your doubts.  

If you are seriously thinking about a career transformation with Salesforce, do not think twice about joining saasguru and ace the Salesforce certification exam on your first go. Sign up, Now!

Looking for Career Upgrade?

Book a free counselling session with our Course Advisor.

By providing your contact details, you agree to our Terms of use & Privacy Policy

Related Articles

AWS Solution Architect Associate Certification Cost in India

Paying up for AWS Solution Architect Associate Certification cost in India is a clever move to get to the top of the demand in the job market. Learn more!

AWS Cloud Practitioner Salary in the USA

This salary by AWS is also one of the top salaries drawn by AWS Cloud Practitioners in the USA. Learn more!

Sharing and Visibility Architect Dumps – Is It Worth?

Are Salesforce Sharing and Visibility Architect dumps worth it? Learn why you should stay away from exam dumps in this blog. Read Now!

Scroll to Top