Sunday, December 10, 2017

Platform Encryption - Encryption at Rest

Use Case

Recently, I got a requirement to implement Salesforce Shield (platform encryption) at our salesforce organization. It brings a question to me how Salesforce uses platform encryption and encrypt the data at Rest.


If we refer Salesforce Shield Platform Encryption Implementation Guide, we get to know how below process flow works and I am not going deep into this as going through the pdf we can understand the flow and ultimately data is derived based on master key and tenant key.

For a sake of proof of concept, I have defined Case Subject, Description and Case comment fields to be encrypted.

To do this follow: Setup -> Platform Encryption

Click on Encrypt Fields link to reach Encrypt Standard Field page and defined as follows:

Then, I have created a sample case with this subject and description:

If I try to query the same case record from the Developer Console, it returns as follows:

Now, how can I prove that data is encrypted as I can see the data as usual. Moreover there is no such proof of Encypted indicator as I can see for attachment as follows:

This makes me curious about this poc.


First I described the Case Subject field from workbench and it displays as encrypted and also thought that I am an authorized user to access this record that's why I can read the data in a normal way. But I was not satisfied with this.

To make it full proof, I archived the tenant key and exported the key as backup.

Then, destroyed the tenant key based on which that case subject and description got generated.

Now, accessed the same record, it is showing ????? (means, This service is unavailable now). This means encrypted data which has been encrypted with my previous tenant key is not available.

That sounds interesting to me.

But, how can I retrieve the previous data then?

So, I imported the same previous tenant key as follows:

After importing, accessed the same case record. It showed the data again.


It gives me confidence that subject and description standard fields have been encrypted properly with Salesforce shield and encrypted at Rest.

Further Reading

Platform Encryption - Things to know before activating Platform Shield


  1. I like the way you proved it. I was looking for a way too =)

    Thanks and well done. (highfive)

  2. Hello! Thanks for sharing. I'm unable to archive or destroy the tenant key even though i have the manage key permissions. Anything else I should check?

  3. Hi Santanu,

    I found this as a valuable piece of work, i have below questions for you.

    1. what is the workbench that you have shown in Approach section (which used to identify encrypted fields) that true that field masking (*****) feature is not longer available now. if so why they promoting is on their site (
    3. If you have a simple implementation guide (not the salesforce one) please share it.

    thank you very much

    1. Please check my latest post: Platform Encryption - Things to know before activating Platform Shield

  4. This post was very useful, thanks for your time and for sharing it.