Platform Encryption vs. FLS

Platform Encryption will go further than just preventing the users from seeing data, it will also encrypt the fields at the database level. For example, you can't even issue a SoQL query doing an "Order By XXX" if that field is encrypted.

Also, PE lets you encrypt fields not subject to FLS (Account and Contact name, for example). In those cases, users will see "****" instead of the actual value in RLs, Reports, Lookups and other things. This also means users might be able to create accounts, but then can't edit them or report on them.

I can find more documentation if the couple of blurbs above do not properly address your question.

==Edited==

Two more things I forgot to mention are

1) Compliance. Platform Encryption is compliant with a number of standards that need stricter restrictions than FLS, or that require that even Sys Admins are shielded from seeing some data.

2) You an encrypt Encrypted Attachments, Files, and Content, which FLS may or may not help you secure.

More resources here and here


The main advantage of Platform Encryption versus Classic Encrypted Custom Fields is:

Transparency for business critical Platform features, such as search, workflow, and validation rules

You'd have to invistigate requirements for private health records storage, as FLS would not be an option in case of:

Privacy policies, regulatory requirements, and contractual obligations for handling private data

You can look at this (FLS vs Encrypted) like you own a gun and:

  • A. You hid it somewhere in your house (there is a potential risk of someone discovering it)
  • B. It's stored in the safe and only your wife knows the password :)

After our meeting with a rep who walked us through Shield in more detail, he said basically there are two reasons to use Platform Encryption:

  1. You are worried someone is going to physically steal a hard drive from Salesforce's data centers.
  2. The government (or your internal compliance team) tells you that you have to.

It sounds like HIPAA actually doesn't require encryption at rest (at least according to our legal team, IANAL), so really it's just #1 for our scenario, and I don't think we have to worry about it.

More importantly, the rep specifically mentioned that Platform Encryption is not a replacement for Field Level Security. Even if you use the former, it should be in tandem with the latter, not as a replacement.