Salesforce offers two types of encryption, each with different capabilities and use cases:
Classic Encryption (No Shield Platform Encryption Required)
Uses deterministic encryption.
Limited to specific standard fields.
Encrypted fields cannot be searched or filtered.
Mainly used for masking sensitive data in a limited capacity.
Shield Platform Encryption (Paid Add-on)
Offers advanced, field-level encryption.
Encrypts data at rest, including files, attachments, and other standard/custom objects.
Allows searching, filtering, and validations with some limitations.
Supports encryption of a broader range of fields, including custom fields.
To Create an Encrypted Custom Field:
Navigate to Setup → Object Manager.
Select the desired object (e.g., Contact, Opportunity, or custom object).
Click Fields & Relationships → New.
Choose Text (Encrypted) → click Next.
Configure:
Field Label / API Name
Length (up to 175 characters)
Mask Type (e.g., , 1234, or None)
Mask Character
Field-level visibility
Assign it to the necessary Page Layouts.
Click Save.
Set Up Field-Level Security:
Go to Setup → Profiles or Permission Sets.
Edit the target Profile/Permission Set.
Ensure the user has Read access to the encrypted field.
Only users with the “View Encrypted Data” permission will see decrypted values; others will see masked values.
To Grant “View Encrypted Data” Permission:
Use this permission only for trusted users.
Go to Setup → Permission Sets or Profile → System Permissions.
Enable “View Encrypted Data”.
Assign the permission set to relevant users.
Using Encrypted Fields in Apsona
If the user has the “View Encrypted Data” permission and the encrypted field is included in their Apsona configuration.
Without this permission, the user will see masked data as defined in the field settings.
Ensure the field is visible in the Apsona Configuration assigned to the user’s profile.