Salesforce Platform Encryption-Major Update
Whole Org Encryption is available in Winter ’26 release
Why is this important? What was the issue before?
Salesforce has had Platform Encryption for many years; however, there has always been a thorny issue — encrypting fields causes capability loss. What do I mean? If you encrypt a field in Salesforce using Platform Encryption, you are no longer able to use it in a filter or to sort by (except in reports). You can allow for filtering (a where clause in SOQL in Apex or API and conditions in reports) by using the deterministic option when encrypting that field; however, it only allows for equality or inequality filters (= or !=). There is no way to fix the sorting issues in SOQL queries; however, reports do allow for sorting on encrypted fields as they first bring back the data from the database (to get the decrypted values) and then sort it.
What has changed?
In Salesforce’s Winter ’26 release (due in October 2025), the Encrypt Your Entire Database option is now GA and everyone on Hyperforce can use it. This new capability depends on the underlying Salesforce Database’s features. Replacing Oracle with Salesforce’s own database has had a lot of benefits and this is one of them!
Now you are able to encrypt the whole of your org’s data without any impact to capabilities at all — nothing will break.
Salesforce’s databases have been encrypted at rest for quite a while; however, now you are in charge of the key material that will encrypt the database.
Sounds too good to be true!
It is a great feature; however there appears to be one catch at the moment. At the bottom of the release note, it says:
Salesforce begins encrypting all new data. Existing data is not encrypted. Your other encryption settings (Fields and Files, Search Indexes, and Event Log Data) are unchanged.
I do hope that there is a capability offered soon to allow you to retrospectively encrypt existing data as there is for field level encryption. When that is offered, you will be able to unencrypt the fields you have encrypted, do a sync and get the filtering and sorting capabilities back!
How to use it
If you would like to encrypt all new data in your org (after the Winter ’26 release) and you have Platform Encryption, go to the Encryption Settings page and choose the Encrypt the Transactional Database toggle. This will enable the feature.
For more information
The information on this capability is in the Winter ’26 release notes: https://help.salesforce.com/s/articleView?id=release-notes.rn_258_security_pe_de_ga.htm&release=258&type=5.
If you are interested in a detailed Salesforce Security Assessment, or general Salesforce Security Consultancy, please reach out to me at doug@platinum7.com.au.
All comments welcome! I look forward to reading them.
