Salesforce Shield File Encryption Myths: Debunked

When it comes to file encryption in Salesforce, there is a ton of information available – so much so that it threatens to overwhelm a casual researcher.  We here at Eigen X empathize with that plight and are here to help.  Below, we’ve debunked the top five myths surrounding file encryption so you don’t need to.  

 

Myth #1: Once a file is encrypted, my Salesforce users won’t be able to see the file without a decryption permission.  

Debunked!  File encryption does not hide or obfuscate the file from your end users.  In fact, users with access to the file can work normally with it regardless of their encryption-specific permissions. This is because Shield encryption (another name for what’s commonly known as Platform Encryption) encrypts data “at rest” i.e. when it’s stored in Salesforce’s data centers. Encrypting data at rest is critical because even if hackers gained unauthorized access to Salesforce’s physical servers, they would not be able to decipher the encrypted data without the encryption keys, thus providing another layer of protection for sensitive information.  

Data stored in Salesforce’s data centers is unrelated to the access and data sharing functionality implemented in your org. In other words, if you don’t want a user in your org to see a file, you should use profiles, roles, permission sets, restriction rules, or sharing sets to control visibility – not encryption.  

 

Myth #2: Once file encryption is enabled in Shield, all files in your org will be encrypted.  

Debunked! When file encryption is turned on, this will encrypt any file uploaded from that point on.  However, it will not automatically encrypt files uploaded prior to that point.   

To decrypt historical files and attachments, submit a Salesforce Support Case.  

 

Myth #3: A system administrator has the ability to selectively encrypt files based on criteria or ownership rules.  

Debunked! File and attachment encryption is binary (all or nothing). If enabled for your org, all new files and attachments will be encrypted going forward – no exceptions.  

Note – make sure your org has an active encryption key before enabling this policy, otherwise it will trigger an error each time an end user tries to upload a document.  

 

Myth #4: Users and admins can tell if a file is encrypted by checking the file’s properties.  

Debunked!  The most straightforward way to determine if a file or attachment is encrypted is by querying IsEncrypted on the ContentVersion object.  The following screenshots illustrate this:  

Salesforce orgs that still allow users to switch between Lightning Experience and Classic have another option.  Classic displays encryption status on file records, as depicted below.  

Myth #5: If encryption is disabled for files and attachments, historical files and attachments in that org will stay encrypted.     

Debunked! This is false, but with a caveat.  If you disable encryption for files and attachments, your historical files and attachments will be decrypted.  However, this decryption may not be instantaneous.  To keep your encryption policy up to date, you have the option of syncing your data with self-service background encryption.  

Note: You can sync your data from the Encryption Statistics and Data Sync page once every 7 days. If you need to sync sooner, you can submit a Salesforce Support Case.