FAQ - Shield Platform Encryption

1.How do I know a Field in an Object is encrypted at rest?

Metadata API - describe - provides encrypted flag value for the encrypted fields as true as shown below:

Account object encrypted fields:

Describe on Account Object showing encrypted flag for the encrypted fields:

Describe on Account Object:

Options for Verifying Encryption:

At the request of an organizations admin, Tier 3 security agents can run a backend process to provide confirmation details of encrypted fields based on server logs which can be provided to users. Please allow two business days for these requests to process due to complexity of the request.
Organization admins can follow the steps below to use tenant key masking to verify field encryption at a record level:

a. Export current tenant secret used to encrypt current data in report and store it in a safe place.

b. Generate a new tenant secret.

c. Destroy the initial key used to encrypt data.

d. With the new key active navigate to any record where fields are encrypted and the data will show ????? meaning the data is encrypted.

Note: Once the admin or customer has reviewed the data masked with ????, the old secret used to encrypt the data can be imported back into the org and the new key destroyed as it was not used to encrypt any data.

How about Attachments encryption?

In the event that an admin would like to verify encryption on files and attachments the query below can be ran in Developer Console:

     SELECT ContentType, Id, IsEncrypted FROM Attachments WHERE IsEncrypted = false/true

The query above will run against attachments and show all content where IsEncrypted = true or false. The attachments option can be replaced with files and content type removed to determine if files are encrypted or decrypted based on the IsEncrypted flag.

For additional information related to platform encryption masking please review our Salesforce article entitled:

What Does My Encrypted Data Look Like?: https://help.salesforce.com/articleView?id=security_pe_masking.htm&type=0

2.Knowledge Article: 000247422 says: View Encrypted Data Permission Not Needed with Shield Platform Encryption Beginning Spring ‘17

Can you explain this with an example?

Reference to this Knowledge Article

Reference: View Encrypted Data” Permission Not Needed with Shield Platform Encryption Beginning Spring ‘17

Let us take an example: In our org, we have an user: joe simple

Joe can see the encrypted field: Account.Fax but Joe can't see the encrypted field Account.Phone as per FLS for his profile:

Account.Fax:

Account.Phone:

If Joe uses REST API for example, to access Account Object, Joe will be denied access to the field: Account.Phone as shown below, while Joe can access Account.Fax

But other user, whose FLS allows read on these fields: Account.Fax and Account.Phone can access these two fields:

3.Do I have to backup tenant secrets?

YES!!!

Tenant secrets are not like passwords.

Unlike passwords, you can’t reset a tenant secret. Salesforce can’t help with deleted, destroyed, or misplaced tenant secrets. Always back up tenant secrets!

4.Is the encrypted fields data encrypted at rest?

YES!

You should use field-level access controls to limit who can access this sensitive data as shown above in question number: 2

5.About guideline for selecting fields for encrypting?

Unnecessarily encrypting data can slow down performance and affect users day-to-day activities. Based on your regulatory requirements define the kinds of customer data that require extra security and apply Shield Platform Encryption only to those areas.

6.About automatic encryption?

Field values are automatically encrypted only in records created or updated after you’ve enabled encryption. Salesforce recommends updating existing records to ensure that their field values are encrypted. For example, if you encrypt the Description field on the Case object, use the Data Loader to update all case records. Contact Salesforce if you need help with this.

7.Can you provide technical details about Platform Encryption?

Here is the video answering this question.

Refreshing a sandbox from a production organization creates an exact copy of the production organization. If Shield Platform Encryption is enabled on the production organization, all encryption settings are copied, including tenant secrets created in production.

Once a sandbox is refreshed, tenant secret changes are confined to your current organization. This means that when you rotate or destroy a tenant secret on sandbox, it doesn’t affect the production organization.

As a best practice, rotate tenant secrets on sandboxes after a refresh. Rotation ensures that production and sandbox use different tenant secrets. Destroying tenant secrets on a sandbox renders encrypted data unusable in cases of partial or full copies.

Refer

Links for curious minds:

Rotate Your Encryption Tenant Secrets - based on your organization’s security policies

What’s the Difference Between Classic Encryption and Shield Platform Encryption?: https://help.salesforce.com/articleView?err=1&id=security_pe_comparison_table.htm&siteLang=en_US&type=0
How Shield Platform Encryption Works: https://help.salesforce.com/articleView?id=security_pe_concepts.htm&type=0&language=en_US
Tradeoffs and Limitations of Shield Platform Encryption: https://help.salesforce.com/articleView?err=1&id=security_pe_considerations.htm&siteLang=en_US&type=0
Encrypt Fields: https://help.salesforce.com/articleView?err=1&id=security_pe_enable_standard_fields.htm&siteLang=en_US&type=0&language=en_US

Salesforce Shield Platform Encryption Whiteboard: https://www.youtube.com/watch?v=RMUl0fF7x1E

View Encrypted Data Permission Not Needed with Shield Platform Encryption Beginning Spring ‘17: https://help.salesforce.com/articleView?id=000247422&type=1