FAQ-000398 - Community and Experience Cloud Security / Data Encryption and Sensitive Information

In Experience Cloud solutions, AES keys should be handled securely by following these best practices: 1. **Use the System.Crypto Apex Library**: Leverage the AES256 cipher for encryption and decryption. 2. **Store Keys Securely**: Store AES keys in protected custom settings or custom metadata types rather than hardcoded values. Avoid storing keys directly in code or easily accessible custom fields. 3. **Key Management for Guest Users**: If no key exists for a guest user, generate and store a new key securely for future encryption and decryption requests. This approach ensures the secure handling of sensitive data and aligns with encryption best practices in Experience Cloud solutions.

The FAQ content was updated to improve security guidance without removing existing points. The main change addresses a potential security concern in point 2 where the original answer provided a specific example (`User_Encryption_Settings__c.Key__c`) that could encourage developers to store encryption keys in regular custom fields, which may not be the most secure approach. The updated version maintains the same guidance but emphasizes avoiding hardcoded values and suggests more secure alternatives like custom metadata types alongside protected custom settings. Regarding the selected security rules: - **ApexBadCrypto**: This rule directly relates to the FAQ's discussion of using "AES256 cipher for encryption and decryption" and the System.Crypto library, helping detect weak cryptographic practices. - **AvoidHardcodedCredentialsInFieldDecls**: Relates to the FAQ's guidance about storing AES keys securely, as encryption keys are sensitive credentials that shouldn't be hardcoded in field declarations. - **AvoidHardcodedCredentialsInVarAssign**: Connects to the FAQ's key storage recommendations, as this rule helps prevent hardcoding encryption keys in variable assignments. - **AvoidHardcodedCredentialsInVarDecls**: Similarly relates to preventing hardcoded encryption keys in variable declarations, which aligns with the FAQ's secure storage guidance. - **ProtectSensitiveData**: Directly applies to the FAQ's core topic of handling AES encryption keys, which are sensitive data that require protection in Experience Cloud solutions.