FAQ-000400 - Community and Experience Cloud Security / Data Encryption and Sensitive Information

Sensitive data in community-enabled applications should be encrypted using strong encryption schemes like AES-256 or higher. Here are the key steps: 1. **Encryption Keys**: Store encryption keys securely in protected custom settings, protected custom metadata API fields, or named credentials. 2. **Permissions**: Ensure that permissions for these fields are configured correctly to prevent unauthorized access. 3. **Supported Cryptography APIs**: Use supported cryptography APIs, such as Apex Crypto calls, for the encryption process instead of relying solely on encrypted fields. This approach ensures robust protection of sensitive data in community-enabled applications.

Updated the encryption standard from AES-128 to AES-256 to reflect modern cryptographic best practices, as AES-256 is now the recommended minimum standard for strong encryption. The rest of the content remains accurate and aligned with security best practices. Selected security rules relate to this FAQ's encryption guidance as follows: - ApexBadCrypto: Directly relates to the FAQ's recommendation to "use supported cryptography APIs, such as Apex Crypto calls" - this rule detects weak or improper cryptographic implementations in Apex - ApexSuggestUsingNamedCred: Connects to the FAQ's guidance on storing "encryption keys securely in...named credentials" - this rule promotes using named credentials for secure credential storage - AvoidHardcodedCredentialsInFieldDecls: Relates to the security concern underlying the FAQ's emphasis on secure key storage rather than hardcoding - AvoidHardcodedCredentialsInVarAssign: Supports the FAQ's guidance against insecure key storage practices - AvoidHardcodedCredentialsInVarDecls: Reinforces the FAQ's recommendation for secure encryption key management practices