Blog: Salesforce Encryption: Probabilistic vs Deterministic

Posted by Pete Thurston
Pete Thurston”

Probablistic vs deterministic encryption blog

Since the Summer '18 release, Salesforce has provided the option to encrypt certain fields with deterministic encryption scheme. But before we dive into the difference between probabilistic and deterministic encryption, let's make sure we're all on the same page.

What’s Data Encryption?

Data encryption is the process of taking information in readable form and translating it to a non-readable form.  It converts data into a secret code and is the most effective way to achieve data security.  To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it.  Unencrypted

>> Know which fields can be encrypted & why some can’t?  Get the Shield Platform Encryption Checklist HERE

data is called plain text; encrypted data is referred to as cipher text.  When data is encrypted, each bit of data is turned into a fully random cipher text string.  Encryption will not generally impact users who are authorized to view the data.

So how does this relate to Salesforce?

Salesforce Shield Platform Encryption

Platform Encryption is part of Salesforce Shield – Salesforce’s premium security offering. Platform Encryption builds on the data encryption options that Salesforce offers out of the box and encrypts the data at rest.  Shield Platform Encryption is available as an add-on subscription in Enterprise, Performance and Unlimited Editions and requires purchasing Salesforce Shield.

Data stored in many standard and custom fields and in files and attachments can be encrypted using an advanced Hardware Security Module-based (HSM) key derivation system, so it is protected even when other lines of defense have been compromised. 

Shield Overview with 3 components-03-03

Why use Salesforce Shield Platform Encryption?

Salesforce Shield Platform Encryption centers around the idea of strengthening your data’s security.  Shield Platform Encryption gives your data a whole new layer of security while preserving critical platform functionality.  It enables you to encrypt sensitive data at rest, and not just when transmitted over a network, so your company can confidently comply with privacy policies, regulatory requirements, and contractual obligations for handling private data - PII, ePHI, PCI, and more.

Watch: What's the difference between Probabilistic vs Deterministic Encryption? 👇


Probabilistic Encryption

By default, Salesforce encrypts data using a probabilistic encryption scheme.  Probabilistic encryption is the use of randomness in an encryption algorithm so that when encrypting the same text several times, it will, in general, yield different cipher texts. 

Probabilistic encryption is so secure that it can often cause issues when logic is executed in the database or when encrypted values are compared to a string or to each other.  When these types of configuration

Implement Salesforce Shield in 20 min WEBINAR >> See the Value of your Shield Investment

changes are made within a Salesforce org, filtering isn’t possible because the data has been turned into random, patternless strings.  

For example, you might run a SOQL query in custom Apex code against the Contact object, where LastName = ‘Jones’.  If the LastName field is encrypted with probabilistic encryption, you can’t run the query because each instance of the value ‘Jones’ represents a different text string. 

It is recommended to use probabilistic encryption whenever data in a field will not need to be filtered on.

Deterministic (Filter-Preserving) Encryption

Deterministic encryption addresses the issue with probabilistic encryption by securing the Salesforce org while retaining the benefits of filtering data. 

To be able to use filters when data is encrypted, we have to allow some patterns in our data.  Deterministic encryption uses a static initialization vector (IV) so that encrypted data can be matched to a particular field value.  The system can’t read a piece of data that’s encrypted, but it does know how to retrieve the cipher text that stands for that piece of data because of the static IV.  The IV is unique for a given field in a given org and can only be decrypted with your org-specific encryption key.  The Salesforce Shield Platform Encryption at rest approach is to expose just enough determinism to enable users to filter on encrypted data while limiting it enough to ensure that a given plain text value does not universally result in the same cipher text value across all fields, objects, or orgs.  In this way, deterministic encryption only decreases encryption strength as minimally necessary to allow for filtering.

Deterministic encryption allows for the user to specify if case sensitivity on record values needs to be accounted for 2 Types of Deterministic Encryption:

  • Case-Sensitive – Allows for the ability to filter data on a case-sensitive basis. ‘ACME’ and ‘Acme’ will be considered 2 unique values and the encryption scheme would use different cipher text strings to identify these 2 records.
  • Case-Insensitive – Allows for the ability to filter data but does not factor the case of the value. ‘ACME’ and ‘Acme’ would be considered the same value and the encryption scheme would use the same cipher text value for both (assuming the record is in the same field / object / org)

So there you have it – a quick overview of the different types of encryption Salesforce Shield Platform Encryption has to offer. Ready to implement Platform Encryption faster, in real-time, on a Salesforce-native GUI that helps you manage and prove data security ongoing? Check out RevCult's Shield Security Cockpit® . 

If you have any questions, don’t hesitate to contact us or email us at

There's more to explore:

Topics: Salesforce Shield

Subscribe to the Blog