Salesforce Shield Encryption

Salesforce Uses a symmetric encryption key to encrypt the customer data that it stores. (The symmetric encryption used isAES with 256-bit keys using CBC mode, PKCS5 padding, and random initialization vector (IV).) Salesforce Shield Encryption works in this way.

1) There are three channels to enter data into Salesforce.com. One: user via desktop using a browser, two: users via mobile device or three: a system making an API call directly into Salesforce.

2) The Application servers in the salesforce data centers serve as a gateway to intercepting requests coming in determining which data elements should be encrypted or decrypted and then applying the appropriate encryption credentials. The Data Encryption Key (which is also the decryption key) is never transmitted or even written to disk (persisted).

3) It is created/derived in the Salesforce Platform and never leaves. It is created in a component of the platform called the Key Derivation Server. The Encryption key is derived/created from a combination of a Salesforce component and customer/tenant specific component. These are called secrets. Sometimes they are also referred to as key fragments.

4) The Encryption key in Salesforce Shield Encryption is generated from the master secret (Salesforce component) and the tenant secret (customer component) using PBKDF2 (Password-Based Key Derivation Function 2).

5) The Derived data encryption key is then securely passed to the encryption service and held in the cache of an application server.

– Salesforce Retrieve The Data Encryption Key from the cache and performs the encryption.

– To decrypt the data Salesforce Reads the encrypted data from the database and if the encryption (decryption) key is not in the cache then it needs to derive it again using the associated tenant secret, and then it decrypts using the key and the associated iv.