Platform Encryption in Salesforce
For Security control, Salesforce offers an out of the box feature called PLATFORM ENCRYPTION. It provides an advanced level of security to the data across the organizations. The Platform Encryption presents the great space for data sharing model with the best business solution. The Security model includes sharing of file, attachment as well as standard & custom field’s value with certain conditions.
Based on purpose, the Encryption can be classified into two types:
1. Classic Encryption – A special type that encrypts the custom text fields.
2. Platform Encryption – This encrypts a larger set of standard fields, along with some custom fields and as well as various type of files and attachments.
Let us see the overview and built-in functionality of Platform Encryption.
Encrypted Standard Fields
Platform Encryption supports for the following standard objects with these specific set of fields.
1. Account Name
1. Name (First Name, Middle Name, Last Name)
2. Mailing Address
6. Home Phone
7. Other Phone
Encrypted Custom Fields
These are custom field types can be encrypted.
3. Text Type (Text, Text Area & Text Area (Long))
1. Custom Email field values would be limited to 70 characters that includes only non-ASCII characters.
2. Custom Phone field values would be limited to 22 characters that includes only non-ASCII characters.
3. Encrypted custom fields can’t be using in custom formula fields or criteria-based sharing rules.
4. The encrypted fields can’t be created using the Schema Builder.
5. Some custom fields can’t be encrypted as below:
1. External data objects
2. Custom formula fields
3. Unique (or) External ID attributes
Encrypt Files and attachments
In your organization, the Platform encryption is enabled. The body of each file & attachment is to be encrypted before the uploading with the certain limits.
Encryption is supported for following types of File/Attachments:
2. Chatter posts & comments
6. Salesforce Files Sync
7. Body of notes using the new Notes tool
Encryption is not supported for following File Types/Attachments:
2. Chatter group photos
3. Chatter profile photos
4. Body of notes using the old Notes tool
Below are the required user permissions, related to the Platform Encryption setup.
1. View data in encrypted fields
2. View Platform Encryption Setup Page
3. Edit Platform Encryption Setup page, excluding key management
4. Generate, destroy, export and import tenant secrets
5. Query Tenant Secret object via the API
Considerations for Platform Encryption
- Encrypted fields can’t be used in the following conditions.
- Matching rules in Duplicate management
- Criteria based sharing rules
- External lookup relationship fields
- Filter criteria in data management tools
- Salesforce1 mobile app
- Live agent chat transcripts by using rest.
2. Report & Dashboard components are not displayed.
3. Page layout & List view are not supported.
4. Campaign member doesn’t support the encrypted field search.
5. Encrypted fields can’t be used in SOQL & SOSL clauses, like the WHERE, GROUP BY & ORDER BY.
6. Encrypted fields can’t be used for the aggregate functions like Max(), Min( ) & Count( ).
7. Body of the files/attachments can be encrypted with the new Notes tool, but not with the old Notes tool.
8. The encrypted fields values are included in email templates. When the Standard Email field is encrypted, Email to Salesforce can’t receive inbound emails.
9. When the Person Account is enabled, the following Account field can be encrypted. The same applies for Contact fields also.
Limitations of Platform Encryption
Many of the applications are currently not supported, but they need to be encrypted by REST.
1. Chatter Desktop
2. Connect Offline
6. Visual Workflows
7. Process Builder
9. Salesforce to Salesforce
10. Salesforce for Outlook
11. Salesforce Classic
12. Lightning Components
13. Salesforce IQ
15. Exact Target
16. Exchange Sync
17. Organization Sync
18. Partner portals, Customer portals & Self-Service portals
- Live agent chat transcript can’t be encrypted by REST.
- Web-to-Case is supported, but the Web Company, Web Email, Web Name and Web Phone fields are not encrypted by REST.