Exploring Column Level Encryption
Learn more about Field Encryption.
Column Level Encryption overview
Column Level Encryption is a base system feature that permits encryption of data stored within an instance using AES128, or AES256.
Column Level Encryption enables you to encrypt selected database fields and stored files through the use of encryption contexts. In these contexts you define what is encrypted, choose which algorithm to use, and supply the encryption key, which is stored within your instance.
After the context is created, you can associate it to a user role. Users assigned to this role, either directly of through a group, are able to access the encrypted data.
Because Column Level Encryption bases access to data on role assignment, it’s important to be familiar with administering roles on your instance. For more information, see Managing roles.
Column Level Encryption benefits
| Benefit | Feature | Required Roles |
|---|---|---|
| Configure access to your encrypted data based on assigned user roles. | Role-based access to encrypted data | security admin |
| Protect your data using the Advanced Encryption Standard (AES). You can choose to use either the AES-128 or AES-256 encryption algorithms. | AES Encryption | security admin |
Create up to 5 modules and module access policies (MAP)s using the standard version of Column Level Encryption. MAPs expand on role-based access to allow considerations for:
|
Support for up to 5 modules and module access policies (MAP)s | security admin |
| Encrypt common field types using the standard version of Column Level Encryption. Column Level Encryption Enterprise supports additional field types. | Encryption for String text, Date and Date/Time fields, attachments, and URLs | security admin |
| Choose between standard and equality preserving encryption. When enabled, equality preserving encryption ensures that the encrypted value of a field is the same when the field value remains the same. This type of encryption
enables equality comparisons and group by operations on a field. 주: Non-deterministic encryption isn’t supported. |
Equality preserving encryption support | security admin |
Use getDisplayValue() and setDisplayValue() APIs to return cleartext values and insert encrypted data for encrypted fields. |
getDisplayValue() and setDisplayValue() APIs |
security admin, developer |
Field Encryption Enterprise benefits
Column Level Encryption Enterprise builds on the existing Column Level Encryption framework and provides these additional features after you purchase a subscription.
| Benefit | Feature | Required Roles |
|---|---|---|
| Encrypt additional field types. | Support for additional field types:
|
security admin |
| Column Level Encryption Enterprise supports more than 5 modules and module access policies to provide more options for access to secured data. | Support for additional modules and MAPs | security admin |
| Keys from a key vault can be rotated on an automated schedule you configure. Using automatic key rotation can improve security while reducing administrative overhead. | Configurable automatic key rotation | security admin |
| Manage the full life cycle of your data encryption keys. Optionally, you can securely exchange data encryption keys generated within your environment. | Customer supplied keys | security admin |
| Ephemeral keys are cryptographic keys that are generated for each execution of a cryptographic process. These keys more secure because they’re generated for use in a single session. | Ephemeral cryptographic keys | security admin |
Updated setDisplayValue() and setDisplayValue() APIs can insert encrypted data for encrypted fields. |
Updated getDisplayValue() and setDisplayValue() APIs |
security admin, developer |