FAQ-000706 - Data Storage and Encryption Security / Encryption and Key Management

For large-scale user data in Salesforce, the following encryption approaches are recommended: Use **strong encryption schemes** like AES-256 or higher to protect data at rest, securely store encryption keys in **protected custom settings** or **protected custom metadata** - never hardcode them in your code, for sensitive data such as personally identifiable information (PII) or access tokens ensure proper encryption practices are followed, use **vendor-provided libraries** for encryption and avoid implementing custom cryptography, and ensure sensitive data is not written to logs and is accessed only by authorized users. These practices help ensure the security and compliance of large-scale user data.

The FAQ content is generally accurate but needs refinement in two key areas. First, the recommendation of 'AES-128 or higher' should be updated to 'AES-256 or higher' to reflect current security best practices, as AES-128 is now considered the minimum acceptable standard rather than the recommended practice. Second, the phrase about storing keys securely needs clarification to explicitly warn against hardcoding keys in code, which is a critical security vulnerability. For security rules selected: - ApexBadCrypto: Directly relates to the FAQ's discussion of encryption schemes and using strong cryptographic methods - AvoidHardcodedCredentialsInFieldDecls: Relates to the secure key storage guidance mentioned in the FAQ about protected custom settings/metadata - AvoidHardcodedCredentialsInVarAssign: Connects to the key management practices discussed in the FAQ - AvoidHardcodedCredentialsInVarDecls: Relevant to the secure storage of encryption keys mentioned in the FAQ - ProtectSensitiveData: Directly applies to the FAQ's focus on protecting PII and sensitive user data through encryption