Salesforce Shield / Platform Encryption with all Blackthorn apps
  • 13 Jul 2022
  • 3 Minutes to read
  • Dark
    Light

Salesforce Shield / Platform Encryption with all Blackthorn apps

  • Dark
    Light

Article summary

Overview

If your Salesforce org has implemented data security with Shield Platform Encryption, here's how you can set this up and prevent running into any errors while using our Blackthorn apps.

Salesforce Shield and Blackthorn's apps work with Salesforce Shield aka Platform Encryption enabled. It works with Deterministic based encryption. This must be done in three places. The key, the global option, and per-field.

Setup

Step 0

The running user of each app, typically the person who installed both apps, must have a profile that can view encrypted fields. Alternatively, you can use a dedicated integration user that no one has access to with this profile to query and create records with the necessary fields.

If you're a system admin and don't have "View Encrypted Data" access on profile, you can create a custom permission set to include the access and assign it to your users. See required user permissions for shield platform encryption here.

To configure this, navigate to Setup, type 'plat' to find the below (short for platform). The red arrows highlight where you'll need to click to get to the configuration areas below:

Classic navigation

H_02_15_Setup 1

Lightning Navigation

H_02_15_Setup 2

Step 1

  1. Visit Setup | Platform Encryption | Key Management.
  2. Select 'Data in Salesforce (Deterministic)' and generate your key.

H_02_15_Setup 3

Step 2

  1. Visit Setup | Platform Encryption | Advanced Settings.
  2. Enable 'Deterministic Encryption'.

H_02_15_Setup 4

Step 3

  1. Setup | Platform Encryption | Encryption Policy then click 'Encrypt Fields'.
  2. For the Email field (or any other erroring field you get when enabling Shield and/or installing our apps, whichever comes first, set those fields to Deterministic - Case Insensitive.

H_02_15_Setup 5

To know more about how Shield Platform Encryption Works, see here.

Suggested Configuration for Blackthorn Fields

  • The tables below will provide a list of fields from our applications that should NOT be encrypted using Salesforce Shield.
  • These fields are used to filter the SOQL result and so they should be excluded from the encryption in order for our apps to work.
  • Formula & Reference fields cannot be encrypted.
  • After marking all fields for encryption if historical data is present you will need to export and import records to trigger a full encryption of data at rest or log a case with Salesforce Support to have a back end encryption job processed. As of Spring '19 you can now also perform this encryption sync yourself using the self service option in the Salesforce help portal.
  • Picklist fields can not be encrypted.
  • Blackthorn will maintain the list whenever a new field is added to the apps.

Payments

Object NameField NameObject TypeEncryption Type
ContactEmailStandardNo Encryption
Product2Product_ID__cStandardNo Encryption
Transaction__cTransaction_Id__cCustomNo Encryption
Transaction__cTransfer_Payment_Id__cCustomNo Encryption
Transaction__cKey__cCustomNo Encryption
Payment_Intent__cPayment_Intent_Id__cCustomNo Encryption
Payment_Method__cCard_Id__cCustomNo Encryption
Payment_Method__cACH_Key__cCustomNo Encryption
Payment_Method__cFingerprint__cCustomNo Encryption
Payment_Gateway__cWebhook_Label__cCustomNo Encryption
Payment_Gateway__cStripe_User_Id__cCustomNo Encryption
Plan2__cPlan_Id__cCustomNo Encryption
Coupon2__cCoupon_Id__cCustomNo Encryption
Dispute__cDispute_ID__cCustomNo Encryption
Stripe_Customer__cEmail__cCustomNo Encryption
Stripe_Customer__cCustomer_Id__cCustomNo Encryption

Events

Object NameField NameObject TypeEncryption Type
AccountNameStandardNo Encryption
Attendee__cRegistration_Status__cCustomDeterministic
Attendee__cEmail2__cCustomDeterministic
Attendee__cKey2__cCustomDeterministic
Attendee__cEmail__cCustomDeterministic
Attendee__cAttendence_Status__cCustomDeterministic
Email_Template__cSF_Template_Id__cCustomDeterministic
Email_Template__cNameCustomNo Encryption
Event_Group__cNameCustomNo Encryption
Event__cNameCustomNo Encryption
Event__cEvent_Start_Date__cCustomNo Encryption
Event__cKey2__cCustomDeterministic
ContactNameStandardNo Encryption
Event_Item__cItem_Name__cCustomNo Encryption
Event_Notification__cTitle__cCustomNo Encryption
Form_Element__cMaps_To_Object__cCustomDeterministic
Form_Element__cQuestion__cCustomNo Encryption
Form_Submission__cKey__cCustomNo Encryption
LeadNameStandardNo Encryption
Session__cStart_Date__cCustomNo Encryption
Speaker__cLast_Name__cCustomNo Encryption
Speaker__cFirst_Name__cCustomNo Encryption
Sponsor__cTier__cCustomNo Encryption
Sponsor__cDisplay_Name__cCustomNo Encryption
Track__cNameCustomNo Encryption
Event_Setting__cNameCustomNo Encryption
Payment_Gateway__cNameCustomNo Encryption
Form__cNameCustomNo Encryption
CampaignNameCustomNo Encryption
  • For any fields that are lookups the reference object Name field cannot be used to encrypt.
  • This is not supported in Event Wizard.
  • If you are not planning to add these fields in the Event Wizard fieldset, the fields can be encrypted. The type should be Deterministic.

What's Next