Skip to main content

Salesforce Shield Platform Encryption

The nature of Komodo Care Connect as a patient-centered application requires both personally identifiable information (PII), such as name, birthdate, and address, and protected health information (PHI), such as medical diagnoses and prescriptions, to be captured and stored. While Salesforce provides standard security layers where all data moving in or out of Salesforce is always encrypted in transit, Komodo Care Connect can be configured to further encrypt data held in the application using Shield Platform Encryption.

Shield Platform Encryption, one of three features provided by Salesforce Shield, allows data in Salesforce to also be encrypted at rest. Data that is encrypted at rest is in a permanent state of encryption only on the disk where it resides; in the interface, it is decrypted on-demand with a tenant secret encryption key. This means that encryption affects only unauthorized individuals who attempt to access the data on the disk, not authenticated users who log into Komodo Care Connect.

For more information about Salesforce Shield, including any considerations and trade-offs you should be aware of, reference Salesforce's documentation on how you can Strengthen Your Data's Security with Shield Platform Encryption.

Pre-encryption setup

Warning

To set up Shield Platform Encryption in Komodo Care Connect V1, admin users must be assigned the KCC - Manage Encryption Keys (PJN_Manage_Encryption_Keys) permission set. To set up Shield Platform Encryption in Komodo Care Connect V2 and above, admin users must first create and/or assign themselves a custom permission set that contains the Customize Application and Manage Encryption Keys system permissions. For more information, reference Salesforce's documentation on Which User Permissions Does Shield Platform Encryption Require?.

To prepare for encryption, you must first consider all of the data that you may want encrypted at rest, including those that may be hidden or used infrequently, and determine whether you want to use probabilistic or deterministic encryption. Probabilistic encryption is the recommended and Salesforce's default form of encryption. However, it may not support the fields that you want to encrypt, so you may find that deterministic encryption better suits your business needs. For more information about deterministic encryption, reference Salesforce's documentation on Filter Encrypted Data with Deterministic Encryption. Only after you have confirmed what data to encrypt and what form of encryption to use should you create the tenant secret you need for encryption.

Probabilistic encryption

To generate and export the tenant secret for probabilistic encryption:

  1. In Setup, search for and select Key Management.

  2. In the Fields and Files (Probabilistic) tab, click Generate Tenant Secret.

  3. Next to the newly generated tenant secret, click Export.

  4. Save and store the tenant secret somewhere secure, such as in a password manager.

Deterministic encryption

To enable deterministic encryption:

  1. In Setup, search for and select Encryption Settings.

  2. Toggle on Generate Initial Deterministic Tenant Secret.

To generate and export the tenant secret for deterministic encryption:

  1. In Setup, search for and select Key Management.

  2. In the Fields (Deterministic) tab, click Generate Tenant Secret.

  3. Next to the newly generated tenant secret, click Export.

  4. Save and store the tenant secret somewhere secure, such as in a password manager.

Encryption steps

For each type of data that you want to encrypt at rest, reference the Salesforce documentation below:

Encryption across environments

To reduce the manual encryption setup that will need to be done for every environment in which you want your instance of Komodo Care Connect to be promoted, ensure that the completed encryption setup is reflected in your code repository. Once a field is marked as encrypted in your repository, it can be deployed or pushed as is to any environment, regardless of the target environment’s encryption setup. For more information, reference Salesforce’s documentation on How Do I Deploy Shield Platform Encryption?