Salesforce Uses a symmetric encryption key to encrypt the customer data that it stores. (The symmetric encryption used isAES with 256-bit keys using CBC mode, PKCS5 padding, and random initialization vector (IV).) Salesforce Shield Encryption works in this way.

Thank you for reading this post, don't forget to subscribe!

1) There are three channels to enter data into Salesforce.com. One: user via desktop using a browser, two: users via mobile device or three: a system making an API call directly into Salesforce.

2) The Application servers in the salesforce data centers serve as a gateway to intercepting requests coming in determining which data elements should be encrypted or decrypted and then applying the appropriate encryption credentials.  The Data Encryption Key (which is also the decryption key) is never transmitted or even written to disk (persisted).

3) It is created/derived in the Salesforce Platform and never leaves. It is created in a component of the platform called the Key Derivation Server.  The Encryption key is derived/created from a combination of a Salesforce component and customer/tenant specific component. These are called secrets. Sometimes they are also referred to as key fragments.

4) The Encryption key in Salesforce Shield Encryption is generated from the master secret (Salesforce component) and the tenant secret (customer component) using PBKDF2 (Password-Based Key Derivation Function 2).

5) The Derived data encryption key is then securely passed to the encryption service and held in the cache of an application server.

– Salesforce Retrieve The Data Encryption Key from the cache and performs the encryption.

– To decrypt the data Salesforce Reads the encrypted data from the database and if the encryption (decryption) key is not in the cache then it needs to derive it again using the associated tenant secret, and then it decrypts using the key and the associated iv.

Salesforce Shield Encryption
Related Posts
Salesforce OEM AppExchange
Salesforce OEM AppExchange

Expanding its reach beyond CRM, Salesforce.com has launched a new service called AppExchange OEM Edition, aimed at non-CRM service providers. Read more

The Salesforce Story
The Salesforce Story

In Marc Benioff's own words How did salesforce.com grow from a start up in a rented apartment into the world's Read more

Salesforce Jigsaw
Salesforce Jigsaw

Salesforce.com, a prominent figure in cloud computing, has finalized a deal to acquire Jigsaw, a wiki-style business contact database, for Read more

Health Cloud Brings Healthcare Transformation
Health Cloud Brings Healthcare Transformation

Following swiftly after last week's successful launch of Financial Services Cloud, Salesforce has announced the second installment in its series Read more