Skip to main content

Salesforce Shield Platform Encryption

The nature of Komodo Care Connect as a patient-centered application requires both personally identifiable information (PII), such as name, birthdate, and address, and protected health information (PHI), such as medical diagnoses and prescriptions, to be captured and stored. While Salesforce provides standard security layers where all data moving in or out of Salesforce is always encrypted in transit, Komodo Care Connect can be configured to further encrypt data held in the application using Shield Platform Encryption.

Shield Platform Encryption, one of three features provided by Salesforce Shield, allows data in Salesforce to also be encrypted at rest. Data that is encrypted at rest is in a permanent state of encryption only on the disk where it resides; in the interface, it is decrypted on-demand with a tenant secret encryption key. This means that encryption affects only unauthorized individuals who attempt to access the data on the disk, not authenticated users who log into Komodo Care Connect.

For more information about Salesforce Shield, including any considerations and trade-offs you should be aware of, reference Salesforce's documentation on how you can Strengthen Your Data's Security with Shield Platform Encryption.

Pre-encryption setup

Note

To set up Shield Platform Encryption in Komodo Care Connect V1, admin users must be assigned the KCC - Manage Encryption Keys (PJN_Manage_Encryption_Keys) permission set.

To prepare for encryption, you must first consider all of the data that you may want encrypted at rest, including those that may be hidden or used infrequently, and determine whether you want to use probabilistic or deterministic encryption. Probabilistic encryption is the recommended and Salesforce's default form of encryption. However, since it may not support the fields that you want to encrypt, you may find that deterministic encryption better suits your business needs. For more information about deterministic encryption, reference Salesforce's documentation on Filter Encrypted Data with Deterministic Encryption. Only after you have confirmed what data to encrypt and what form of encryption to use should you create the tenant secret you need for encryption.

Probabilistic encryption

To generate and export the tenant secret for probabilistic encryption:

  1. In Setup, search for and select Key Management.

  2. Click Generate Tenant Secret.

  3. Next to the newly generated tenant secret, click Export.

  4. Save and store the tenant secret somewhere secure, such as in a password manager.

Deterministic encryption

To enable deterministic encryption:

  1. In Setup, search for and select Advanced Settings.

  2. Toggle on Deterministic Encryption.

To generate and export the tenant secret for deterministic encryption:

  1. In Setup, search for and select Key Management.

  2. For Choose Tenant Secret Type, select Data in Salesforce (Deterministic).

  3. Click Generate Tenant Secret.

  4. Next to the newly generated tenant secret, click Export.

  5. Save and store the tenant secret somewhere secure, such as in a password manager.

Encryption steps

For each type of data that you want to encrypt at rest, reference the appropriate section(s) below:

Fields

To encrypt standard fields on standard objects:

  1. In Setup, search for and select Encryption Policy.

  2. Click Encrypt Fields.

  3. Under each standard object, check the fields that should be encrypted.

  4. Click Save.

Warning

If you run into an error where portals do not support encryption on standard fields, you may need to raise a support ticket with Salesforce Support. This is a known issue in Salesforce.

To encrypt custom fields on any object:

  1. In Setup, search for and select Advanced Settings.

  2. Toggle on Encrypt Custom Fields in Managed Packages.

  3. Click Accept.

  4. In the Object Manager, search for and select the object you want to encrypt fields for.

  5. In the left sidebar, click Fields & Relationships.

  6. Click the custom field you want to encrypt.

  7. Click Edit.

  8. Under General Options, check Encrypted.

  9. Click Save.

Field history data

To encrypt field history data:

  1. In Setup, search for and select Advanced Settings.

  2. Toggle on Encrypt Field History and Feed Tracking Values.

Files

To encrypt files:

  1. In Setup, search for and select Encryption Policy.

  2. Check Encrypt files and attachments.

  3. Click Save.

Encryption across environments

To reduce the manual encryption setup that will need to be done for every environment in which you want your instance of Komodo Care Connect to be promoted, ensure that the completed encryption setup is reflected in your code repository. Once a field is marked as encrypted in your repository, it can be deployed or pushed as is to any environment, regardless of the target environment’s encryption setup. For more information, reference Salesforce’s documentation on How Do I Deploy Shield Platform Encryption?