Skip to main content
Skyhigh Security

Supported Encryption Schemes

The following encryption algorithms, or Encryption Schemes, are supported. 

Name Description Use Cases
Data Loss Prevention

The Data Loss Prevention scheme works with DLP policies to scan a text field for sensitive content, and encrypt the content only if there is a match. 

For example, for your Salesforce or ServiceNow service, you could have a comments field. For that field, you would select Data Loss Prevention encryption. In your DLP policy, you would create a proxy rule to configure what sensitive content you're looking for in the comments field, and set the policy action as "encrypt".  

Use Case: For example, you can scan for sensitive content in a Salesforce Chatter post, or in a ServiceNow Live Connect post, and encrypt the content only if there's a match, according to your DLP policy.
File Encryption The File Encryption Scheme encrypts any type of file format that needs to be encrypted. Use Case: This scheme is useful in Salesforce for File as an Attachment to an Object (Account or Case), a File under Files section, or a Document under the Documents section.
Fixed Output Length Searchable Encryption - Alphanumeric Output The Fixed Output Length Searchable Encryption - Alphanumeric Output scheme is used to encrypt fields of alphanumeric characters, using the English alphabet only. Encryption is format-preserving and searchable. It supports an exact keyword search.  Use Case: This scheme is best used for short text fields. 
Format Preserving Encryption - Email

The Format Preserving Encryption - Email scheme preserves the format of the input text.

For example, Salesforce expects an @ and a dot (.) in an email address, and will reject them as invalid if those attributes are not present. Skyhigh CASB encrypts the input email address, then changes the domain to a configurable name, in order to protect the identity of your company. But email attributes are preserved in order to pass validation while protecting the data.

For example, ben.smith@company.com would encrypt to Cipher3@myshn.net: which would pass validation at Salesforce, but is indecipherable to unauthorized users.

 
Format Preserving Encryption - Phone The Format Preserving Encryption - Phone scheme uses a regex search to find numbers formatted as a US phone number, and encrypts the content while preserving the format. The country code is not included.  Use Case: Use this encryption scheme for fields that include US phone numbers. 
Format Preserving Encryption - SSN

The Format Preserving Encryption - SSN scheme performs a regex search for US Social Security Numbers in their nine-character format (for example, 123-45-6789) and encrypts the content into 32 characters. 

This scheme can work in two different ways:

  1. No input validation. If there is no input validation on the field to make sure that the SSN is formatted correctly, the characters are input as plaintext and encrypted as cyphertext. 
  2. Input validation. If there is input validation on the field, any input not formatted correctly as an SSN is rejected. In this case, the plaintext goes in post-validation, and the scheme uses APEX code to send it back to the proxy. The characters come back from the proxy as cyphertext, which is stored. 

For more information about this encryption scheme, contact Skyhigh Security Support

 
Internationalized Ordered Encryption (IOE) 

The Internationalized Ordered Encryption (IOE) scheme allows you to use international alphabets and keep lists of data in an alphabetically ordered state. It may also be used for free text fields with mixed language use. 

Supported alphabetic characters include:

  • Chinese (Simplified)
  • Chinese (Traditional)
  • Danish
  • Dutch
  • English
  • Finnish
  • French
  • German
  • Italian
  • Japanese
  • Korean
  • Norwegian
  • Portuguese
  • Russian
  • Spanish
  • Swedish
  • Thai

NOTE: The IOE encryption scheme is very slow. 

Use Case: For example, use this encryption scheme if you wanted to encrypt a list of customer or employee names using all available international alphabet characters, and preserve alphabetical order. 
Length Preserving Randomized Encryption for Text Areas 

The Length Preserving Randomized Encryption for Text Areas scheme uses regular randomized encryption (AES-256 CBC encryption with random IV) for text areas. This encrypts the content in the text field, while preserving the length and searchability. 

To encrypt the content, this scheme uses a header and a footer. The header includes a sentinel, an algorithm enumerator, and a key version. The footer includes a sentinel, a capitalization bit fiend, and a punctuation bit field. 

For example, if you had a text field with the following sentence: The guy’s name was Fred

If you searched for "fred" (lowercase), you would still find it, because this scheme also encrypts the lowercase version of the name in the capitalization bit field in the footer. 

Use Case: Use this scheme for a text area when you want to preserve the length of the field, encrypt the content, and preserve searchability. 
Line Oriented Searchable Encryption (LOE) 

The Line Oriented Searchable Encryption (LOE) scheme allows you to encrypt a line of text and still can search that field for exact keywords. 

This scheme works by encrypting each character in a text field, plus the white space and any punctuation, with a header and a footer. For example, consider a sentence in a text field such as, “The little brown fox ran fast." The original number of characters including punctuation is 25. Using searchable encryption would add 25 + 6 x the header size + footer size. This doubles the length of the overall encryption. 

LOE solves a problem that regular searchable encryption has with punctuation. For example, in the previous example sentence, the final word combines with the period, "fast." This makes "fast" alone unsearchable. LOE eliminates the extra period character as unnecessary and preserves searchability. 

Use Case: Use Line Oriented Searchable Encryption for free text areas that you want to be encrypted, but still searchable. For example, if you had a notes field with data that included a secret project name such as, "Customer is interested in learning roadmap for <secret project name>." The secret project name would be encrypted, but users could still search for it. This scheme can also be used in fields that include PCI information, or other compliance standards. 
Non-Searchable Encryption - Length Preserving

The Non-Searchable Encryption - Length Preserving scheme encrypts medium-length text content. This scheme is non-deterministic in nature, so users can’t search this content. This scheme has comparable security to Standard Encryption. 

IMPORTANT: This encryption scheme is very slow. We recommend that you use the Standard Encryption with Compression Encoding scheme instead. If you are currently using this scheme, you should consider migrating to the Standard Encryption with Compression Encoding Scheme in the future. 

 
Order Preserving Encryption

The Order Preserving Encryption scheme is an ideal candidate to choose when the order of the encrypted content (alphabetic/numeric sort order) must be preserved, and also when searches will be run on this ordered data. This encryption scheme also preserves a prefix search.

IMPORTANT: This scheme is the highest functionality and lowest security encryption scheme. Take care when assessing the tradeoffs associated with its use.

Use Case: FirstName/LastName of an Account /Contact/Person Account objects, when you want these fields to be searchable and maintain their sorting order.
Rolodex Encryption Scheme

Use the Rolodex Encryption scheme when the order of the encrypted content (alphabetic/numeric sort order) must be preserved, and also when searches are run on this ordered data. 

The Rolodex Encryption scheme was created specifically for use with the Salesforce Rolodex sorting feature, which displays records based on the first letter of the first and last name. This scheme preserves the first letter, then encrypts the rest of the first and last name. Even though this scheme reduces encryption strength, it allows records to be sorted alphabetically, even after encryption. 

IMPORTANT: This scheme is the highest functionality and lowest security encryption scheme. Take care when assessing the tradeoffs associated with its use.

For more information, see Enable Rolodex Encryption

 
Search Enabled Encryption - Length Preserving

The Search Enabled Encryption - Length Preserving scheme encrypts small text content in the form of word/s. Deterministic encryption is the strength of this scheme, which always produces the same ciphertext as output for the same plain text as input. Because this scheme preserves data searchability by encrypting deterministically, some types of statistical attacks are possible.

IMPORTANT: The exact expansion/contraction rates depend on the ciphertext encoding used, but in the current configuration an n-character plain text will result in a (4n/7)+6 character ciphertext.

Use Case: FirstName, LastName, City, Insurance-ID, and such attributes of an object, when you want to perform a search on these fields.
Standard Encryption Scheme

The Standard Encryption scheme is non-length-preserving, randomized encryption. This schema does not preserve any functionality. A use case for this is a free-text field, Chatter post, or blog post.

IMPORTANT: No functionality is preserved. This is the strongest encryption offered.

 
Standard Encryption with Compression Encoding Scheme

The Standard Encryption with Compression Encoding scheme encrypts medium-length text content. Data encryption with this scheme will no longer be searchable. This scheme uses standard AES-256 with Random IVs and CJK encoding for compression. 

Use this encryption scheme instead of the Non-Searchable Encryption - Length Preserving

IMPORTANT: The exact expansion/contraction rates depend on the ciphertext encoding used, but in the current configuration an n-character plain text will result in a (4n/7)+14 character ciphertext.

 

Use Case: This scheme fits well when you want to encrypt medium-length text content in fields like Description of a Case, Comments on a Task, etc. Typical target fields in SFDC are a Text Area, either on standard or custom objects. 
Standard Encryption with Compression Encoding Scheme

The Standard Encryption with Compression Encoding scheme encrypts medium-length text content. Data encryption with this scheme will no longer be searchable. This scheme uses standard AES-256 with Random IVs and CJK encoding for compression. 

Use this encryption scheme instead of Non-Searchable Encryption - Length Preserving

IMPORTANT: The exact expansion/contraction rates depend on the ciphertext encoding used, but in the current configuration an n-character plain text will result in a (4n/7)+14 character ciphertext.

 

Use Case: This scheme fits well when you want to encrypt medium-length text content in fields like Description of a Case, Comments on a Task, etc. Typical target fields in SFDC are a Text Area, either on standard or custom objects. 
Unencrypted Scheme The Unencrypted scheme is the default choice for every field, and it leaves the field unchanged. The content of the field will appear in clear text and always be searchable.  Use Case: Select Unencrypted for fields that need no encryption.

 

  • Was this article helpful?