What is the difference between storing secrets in a protected custom setting versus an encrypted field on a regular custom setting?
Answer
Protected custom settings and encrypted fields on regular custom settings serve different purposes and have distinct security features:
- **Protected Custom Settings**: These are specifically designed for securely storing sensitive data like authentication credentials. They are not visible to subscribers of managed packages and require custom code for management and access since they lack a built-in user interface.
- **Encrypted Fields on Regular Custom Settings**: These use encryption to secure data but are not ideal for storing authentication data (e.g., passwords or API keys). Users with the "View Encrypted Data" permission can see the data, which may pose a security risk. Encrypted fields are better suited for other sensitive data types, like credit card numbers or social security numbers, rather than authentication secrets.
What is the difference between storing secrets in a protected custom setting versus an encrypted field on a regular custom setting?
Recommended Answer Update
Protected custom settings and encrypted fields on regular custom settings serve different purposes and have distinct security features:
- **Protected Custom Settings**: These are specifically designed for securely storing sensitive data like authentication credentials. They're not visible to subscribers of managed packages and require custom code for management and access since they lack a built-in user interface.
- **Encrypted Fields on Regular Custom Settings**: These use encryption to secure data but aren't ideal for storing authentication data (e.g., passwords or API keys). Users with the "View Encrypted Data" permission can see the data, which may pose a security risk. Encrypted fields are better suited for other sensitive data types, like credit card numbers or social security numbers, rather than authentication secrets.
Reasoning
The changes improve clarity and readability by using contractions ("They're" instead of "They are", "aren't" instead of "are not") to make the text more conversational while maintaining all technical accuracy. No outdated content was detected - the information about protected custom settings and encrypted fields remains current. The security guidance appropriately emphasizes that protected custom settings are better for authentication credentials while encrypted fields are suitable for other sensitive data. The related security rules all address the broader topic of credential storage that this FAQ discusses: ApexSuggestUsingNamedCred relates to the FAQ's discussion of storing authentication credentials and suggests using Named Credentials as a best practice. AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInVarDecls, and AvoidHardcodedCredentialsInVarAssign all relate to the FAQ's emphasis on proper storage of authentication data like passwords and API keys, as these rules detect when credentials are hardcoded rather than stored securely using methods like protected custom settings.