Shield Platform Encryption Explained
Shield Platform Encryption is part of the Salesforce Shield add-on suite (alongside Event Monitoring and Field Audit Trail). It applies AES-256 encryption to data at rest for supported field types, including text, text area, date, datetime, email, phone, URL, and certain standard fields like Name and Description on select objects. Unlike classic Salesforce encryption (which used a masked, unencryptable field type), Shield encryption preserves field functionality: encrypted fields can still appear in list views, reports, and be used in some SOQL filters.
Key management is critical. Salesforce offers a default key management service, but organizations with strict compliance requirements can bring their own keys via the Cache-Only Key Service or use customer-supplied key material. Encrypted data counts double against storage limits, and certain platform features (like formula field references, SOQL LIKE filters, and aggregate queries) are limited on encrypted fields. Shield Platform Encryption is common in healthcare, financial services, and government orgs where regulatory frameworks mandate encryption at rest.
Related Salesforce Terms
Field-Level Security (FLS)
Field-Level Security controls which users can see and edit specific fields on Salesforce objects, enforced at the profile and permission set level.
Organization-Wide Defaults (OWD)
Organization-Wide Defaults define the baseline record access level for each object, establishing the most restrictive sharing setting before other mechanisms open access.
Profile
A Profile in Salesforce defines the baseline set of permissions, page layout assignments, and system settings that apply to every user assigned to it.