Salesforce Shield / Platform Encryption with all Blackthorn apps
  • 13 Jul 2022
  • 3 Minutes to read
  • Dark
    Light

Salesforce Shield / Platform Encryption with all Blackthorn apps

  • Dark
    Light

Overview

If your Salesforce org has implemented data security with Shield Platform Encryption, here's how you can set this up and prevent running into any errors while using our Blackthorn apps.

Salesforce Shield and Blackthorn's apps work with Salesforce Shield aka Platform Encryption enabled. It works with Deterministic based encryption. This must be done in three places. The key, the global option, and per-field.

Setup

Step 0

The running user of each app, typically the person who installed both apps, must have a profile that can view encrypted fields. Alternatively, you can use a dedicated integration user that no one has access to with this profile to query and create records with the necessary fields.

If you're a system admin and don't have "View Encrypted Data" access on profile, you can create a custom permission set to include the access and assign it to your users. See required user permissions for shield platform encryption here.

To configure this, navigate to Setup, type 'plat' to find the below (short for platform). The red arrows highlight where you'll need to click to get to the configuration areas below:

Classic navigation

H_02_15_Setup 1

Lightning Navigation

H_02_15_Setup 2

Step 1

  1. Visit Setup | Platform Encryption | Key Management.
  2. Select 'Data in Salesforce (Deterministic)' and generate your key.

H_02_15_Setup 3

Step 2

  1. Visit Setup | Platform Encryption | Advanced Settings.
  2. Enable 'Deterministic Encryption'.

H_02_15_Setup 4

Step 3

  1. Setup | Platform Encryption | Encryption Policy then click 'Encrypt Fields'.
  2. For the Email field (or any other erroring field you get when enabling Shield and/or installing our apps, whichever comes first, set those fields to Deterministic - Case Insensitive.

H_02_15_Setup 5

To know more about how Shield Platform Encryption Works, see here.

Suggested Configuration for Blackthorn Fields

  • The tables below will provide a list of fields from our applications that should NOT be encrypted using Salesforce Shield.
  • These fields are used to filter the SOQL result and so they should be excluded from the encryption in order for our apps to work.
  • Formula & Reference fields cannot be encrypted.
  • After marking all fields for encryption if historical data is present you will need to export and import records to trigger a full encryption of data at rest or log a case with Salesforce Support to have a back end encryption job processed. As of Spring '19 you can now also perform this encryption sync yourself using the self service option in the Salesforce help portal.
  • Picklist fields can not be encrypted.
  • Blackthorn will maintain the list whenever a new field is added to the apps.

Payments

Object Name Field Name Object Type Encryption Type
Contact Email Standard No Encryption
Product2 Product_ID__c Standard No Encryption
Transaction__c Transaction_Id__c Custom No Encryption
Transaction__c Transfer_Payment_Id__c Custom No Encryption
Transaction__c Key__c Custom No Encryption
Payment_Intent__c Payment_Intent_Id__c Custom No Encryption
Payment_Method__c Card_Id__c Custom No Encryption
Payment_Method__c ACH_Key__c Custom No Encryption
Payment_Method__c Fingerprint__c Custom No Encryption
Payment_Gateway__c Webhook_Label__c Custom No Encryption
Payment_Gateway__c Stripe_User_Id__c Custom No Encryption
Plan2__c Plan_Id__c Custom No Encryption
Coupon2__c Coupon_Id__c Custom No Encryption
Dispute__c Dispute_ID__c Custom No Encryption
Stripe_Customer__c Email__c Custom No Encryption
Stripe_Customer__c Customer_Id__c Custom No Encryption

Events

Object Name Field Name Object Type Encryption Type
Account Name Standard No Encryption
Attendee__c Registration_Status__c Custom Deterministic
Attendee__c Email2__c Custom Deterministic
Attendee__c Key2__c Custom Deterministic
Attendee__c Email__c Custom Deterministic
Attendee__c Attendence_Status__c Custom Deterministic
Email_Template__c SF_Template_Id__c Custom Deterministic
Email_Template__c Name Custom No Encryption
Event_Group__c Name Custom No Encryption
Event__c Name Custom No Encryption
Event__c Event_Start_Date__c Custom No Encryption
Event__c Key2__c Custom Deterministic
Contact Name Standard No Encryption
Event_Item__c Item_Name__c Custom No Encryption
Event_Notification__c Title__c Custom No Encryption
Form_Element__c Maps_To_Object__c Custom Deterministic
Form_Element__c Question__c Custom No Encryption
Form_Submission__c Key__c Custom No Encryption
Lead Name Standard No Encryption
Session__c Start_Date__c Custom No Encryption
Speaker__c Last_Name__c Custom No Encryption
Speaker__c First_Name__c Custom No Encryption
Sponsor__c Tier__c Custom No Encryption
Sponsor__c Display_Name__c Custom No Encryption
Track__c Name Custom No Encryption
Event_Setting__c Name Custom No Encryption
Payment_Gateway__c Name Custom No Encryption
Form__c Name Custom No Encryption
Campaign Name Custom No Encryption
  • For any fields that are lookups the reference object Name field cannot be used to encrypt.
  • This is not supported in Event Wizard.
  • If you are not planning to add these fields in the Event Wizard fieldset, the fields can be encrypted. The type should be Deterministic.

What's Next