How to Encypt Your Data on Salesforce
How to Encypt Your Data on Salesforce
Learn about custom field encryption, the Apex Crypto Class, and third-party encryption on Salesforce.
Join the DZone community and get the full member experience.Join For Free
Learn how to migrate and modernize stateless applications and run them in a Kubernetes cluster.
Data is the new currency of today’s digital world. Data is probably the most costly affair these days. If you are using data then definitely you will have volumes and varieties of data in your organization. Some confidential and others super confidential. So the question nagging us - Is the data in Salesforce secure enough?
There are a number of ways for encrypting data in Salesforce. Let’s analyze:
Salesforce Custom Field Encryption:
People using Salesforce Developer, Enterprise, Unlimited, Performance and Database.com versions believe there is a way to encrypt the custom fields. You have to select text (encrypted) field when created a new custom field, and it will open the following pages:
You have to select the most appropriate options as per your security need. This case is mostly opted for when multiple users are viewing information and you want to put a restriction on viewing the data after entering the values. It can also be used to tweak the values or make them partially visible or can also be used for saving the passwords for VisualForce based portals.
Apex Crypto Class:
If you want a finer level of encryption you can opt for Apex Crypto Class. But for leveraging Apex Class’ properties you have to have a thorough and an in depth knowledge about both the Apex programming, and Salesforce customizations. They help in the creation of data digest, authentication codes and signatures which helps in encrypting your data.
It has mainly a set of four methods:
encrypt(algorithmName, privateKey, initializationVector, clearText) encryptWithManagedIV (algorithmName, privateKey, clearText) decrypt(algorithmName, privateKey, initializationVector, cipherText) decryptWithManagedIV(algorithmName, privateKey, IVAndCipherText)
The encrypt() method is used when you have your own (IV) and the same is supposed to be used to encrypt your data. This is mostly used when you are going for a third party system authentication. And the third party system authenticates the data using the IV. The decrypt() method is similarly used for decryption of the code. However Crypto classes uses only symmetric key encryption.
The private key that is used in the above method is also generated by another crypto method generateAesKey(size). The size defines the length of the encryption protocol. The types which crypto classes support are as follows:
Blob presetIV = Blob.valueOf('Example of IV123'); Blob key = Crypto.generateAesKey(128); // Generate the data to be encrypted. Blob data = Blob.valueOf('Data to be encrypted'); Blob encrypted = Crypto.encrypt('AES128', key, presetIV, data); Blob decrypted = Crypto.decrypt('AES128', key, presetIV, encrypted); String decryptedString = decrypted.toString(); //check the authenticity of data( useful for integrations) System.assertEquals('Data to be encrypted', decrypted
The encryptWithManagedIV() method is used to encrypt data using Salesforce generated initiation vector while its counterpart decryptWithManagedIV() method does not require any IV parameters. However this system is recommended only if you are using data for Salesforce based systems.
Blob cryptoKey = Crypto.generateAesKey(256); // Generate the data to be encrypted. Blob data = Blob.valueOf('clear text waiting for encryption'); // Encrypt the data using Salesforce.com generate the initialization vector Blob encryptedData = Crypto.encryptWithManagedIV('AES256', cryptoKey, data); // Decrypt the data - the first 16 bytes contain the initialization vector Blob decryptedData = Crypto.decryptWithManagedIV('AES256', cryptoKey, encryptedData); // Decode the decrypted data for subsequent use String decryptedDataString = decryptedData.toString(); //check the authenticity of data( useful for integrations) System.assertEquals('clear text waiting for encryption', decryptedString);
Third Party Encryption:
The third possible way to encrypt the Salesforce data is by using the third party encryption services. These are mostly paid or subscription based services.
These services act as an interface or as an additional protection layer between the data entry points and Salesforce.
These services are used for fulfilling both the purposes of encryption and authentication.
These solution are opted by those people who do not go for custom based solution.
This system also ensures that the concept and complexity of encryption keys are also handled by the third party services itself.
However encrypted data in Salesforce means that it would not be possible to integrate Salesforce with any other third party based solution without involving encryption solution’s adapter. Which implies that if the third party solution does not have a suitable adapter you have to go for custom based solution.
Opinions expressed by DZone contributors are their own.