Filter Encrypted Data with Exact Match Case-Insensitive Deterministic Encryption (Beta)

Want better results when filtering encrypted data? You can now use the same capabilities as deterministic encryption but with exact, case-insensitive matching. Case-insensitive means that a SOQL query against the Lead object, where Company = 'Acme’, returns Acme, acme, or ACME. Similarly, when the filter-preserving scheme tests for unicity (uniqueness), each version of Acme is considered identical.
Where: This change applies to Salesforce Classic, Lightning Experience, and all versions of the Salesforce app in sandbox and Developer Edition environments. After you’ve tested this feature in sandbox, contact Salesforce to enable it in a production org in Enterprise, Performance, and Unlimited editions.


As a beta feature, Case-Insensitive Deterministic Encryption is a preview and isn’t part of the “Services” under your master subscription agreement with Salesforce. Use this feature at your sole discretion, and make your purchase decisions only from generally available products and features. Salesforce doesn’t guarantee general availability of this feature within any particular time frame or at all, and we can discontinue it at any time. This feature is for evaluation purposes only. It’s offered as is, and Salesforce has no liability for any harm or damage arising out of or in connection with it. All restrictions, Salesforce reservation of rights, obligations concerning the Services, and terms for related Non-Salesforce Applications and Content apply equally to your use of this feature. You can provide feedback and suggestions for Case-Insensitive Deterministic Encryption in the IdeaExchange and through the Trailblazer Community. For information about enabling this feature in your organization, contact Salesforce.

How: If you’re new to using case-insensitive deterministic encryption, contact Salesforce Customer Support for access to this encryption scheme. Turn on deterministic encryption on the Advanced Settings page in Setup. On the Key Management page, select the Data in Salesforce (Deterministic) secret type, and click Generate Tenant Secret. Now you can apply case-insensitive deterministic encryption to standard fields from the Encrypt Standard Fields page or to custom fields through the Object Manager.

Expanded drop down menu on the Encrypt Standard Fields page with the Deterministic-Case Insensitive encryption scheme highlighted.

When you apply case-insensitive deterministic encryption to data, synchronize your data from the Encryption Statistics and Data Sync page, or contact Salesforce Customer Support to request the background encryption service. If you don’t synchronize your data, case-insensitive deterministic encryption isn’t fully functional.

New in Spring ’19

  • Compatibility with compound fields (except fields with custom indexes).
  • Ability to encrypt Text and Email external ID custom fields with case-insensitive deterministic encryption. When you create or edit these fields, use one of the following field setting combinations.
    External ID Field Type Unique Attributes Encrypted
    Text None Use case-insensitive deterministic encryption
    Text Unique and case sensitive Use case-sensitive deterministic encryption
    Text Unique and case insensitive Use case-insensitive deterministic encryption
    Email None Use case-insensitive deterministic encryption
    Email Unique Use case-sensitive deterministic encryption
Case-insensitive deterministic encryption doesn't support fields used in skinny table.