Kindly let me know if it helps you and close your query by marking it as solved so that it can help others in the future. It will help to keep this community clean.
Salesforce can run a background encryption process to traverse the database and file storage, decrypt existing encrypted data, and then re-encrypt the data using the new data encryption key.
To the best of my knowledge Shield enables you to encrypt sensitive data at rest not metadata, however metadata is used for the below When a Salesforce user saves encrypted data, the runtime engine determines from metadata whether to encrypt the field, file, or attachment before storing it in the database.
Leveraging Shield Platform Encryption’s HSM-based key derivation architecture, metadata, and configurations, Search Index Encryption runs when Shield Platform Encryption is in use.
The core application determines if the search index segment should be encrypted or not based on metadata.
To restore a destroyed tenant secret, reimport it. The exported tenant secret is different from the tenant secret you uploaded. It’s encrypted with a different key and has additional metadata embedded in it.
You can’t use Shield Platform Encryption with Custom Metadata Types.
Greetings to you!
Please refer to the below links which might help you further with the above requirement.
https://www.salesforce.com/content/dam/web/en_us/www/documents/reports/wp-platform-encryption-architecture-2018.pdf
https://help.salesforce.com/articleView?id=security_pe_encryption_process.htm&type=5
I hope it helps you.
Kindly let me know if it helps you and close your query by marking it as solved so that it can help others in the future. It will help to keep this community clean.
Thanks and Regards,
Khan Anas
When a Salesforce user saves encrypted data, the runtime engine determines from metadata whether to encrypt the field, file, or attachment before storing it in the database.
Leveraging Shield Platform Encryption’s HSM-based key derivation architecture, metadata, and configurations, Search Index Encryption runs when Shield Platform Encryption is in use.
The core application determines if the search index segment should be encrypted or not based on metadata.
To restore a destroyed tenant secret, reimport it. The exported tenant secret is different from the tenant secret you uploaded. It’s
encrypted with a different key and has additional metadata embedded in it.
You can’t use Shield Platform Encryption with Custom Metadata Types.