The Welkin Suite Forum

Deploying an object with enabled Shield encryption on (standard) fields



Deploying an object with enabled Shield encryption on (standard) fields

started by joachim.roesecke 20 Apr 2018 - 06:59 AM
  • Please log in to reply

#1
windows version welkinsuite

joachim.roesecke

    Posted 20 Apr 2018 and edited 29 Aug 2018

    Hi

    A couple of days ago I created a new field on the Salesforce Account object within the TWS which had standard fields encrypted via Shield Platform encryption. During deployment of the object, all Account fields were decrypted. This is critical. I do not dare to test this again but maybe you know what the problem may be.

    Cheers, Joachim


    3 replies to this topic

    #2

    kate.dulko

      Posted 20 Apr 2018

      Hi Joachim,


      Thank you for bringing this to our attention.


      To be honest with you, we haven't been faced with a case of using Shield Platform encryption so we have started to investigate how we can handle this.

      I will write back to you if we would find any temporary solution for this, and also, of course, I will keep you updated on our progress of working on this issue.


      Thank you for your collaboration greatly!


      Best regards,

      Kate


      Kate Dulko
      Customer Relations

      The Welkin Suite

      twitter: @KateDulko
      skype id: d_katerina
      e-mail: kate.dulko@welkinsuite.com

       

        

      #3

      joachim.roesecke

        Posted 17 Aug 2018 and edited 17 Aug 2018

        Hi

        I have just encountered this again (newest release). Apparently, when one deploys an object with fields with encryption enabled, the XML you get back has all the encryption removed. You should be able to reproduce this by doing the following:

        1. Create a text field on an object in an organization with Shield Platform Encryption Enabled (you can enable this in any newer Dev Org).
        2. Pull the object into TWS and change the tag "<encrypted>false</encrypted>" on the field to "<encrypted>true</encrypted>".
        3. Deploy the object.

        The result is that the field is encrypted but the XML will say "<encrypted>false</encrypted>" again. If you deploy this object again, the encryption will be removed if you do not explicitly set it to "true" again. This is extremely critical as it may result in unintentional decryption of fields which would take a looooong time in case you have a huge number of records in this object and/or many encrypted fields. This is also a security risk and may cause huge issues in the course of GDPR!

        I urge you to fix this very soon.

        Thanks & Regards,

        Joachim

        Addendum: if I execute a "Force Pull", I get the object with the encryptions enabled, but this cannot be the solution as it is easy to forget this.


        #4

        kate.dulko

          Posted 29 Aug 2018

          Hi Joachim,


          Thank you for your update and for the provided steps, and please sorry for the delay in our response.


          Looks like when you change these encryption settings in a field, the Last Modified date for an object isn't changed, and this is why the regular pull process doesn't see the changes. For example, the same case applies when you add a new field to an object.

          At the same time, the Force pull functionality re-download this object anyway and you can get your updated file.


          We are going to investigate why exactly the issue is reproduced when you deploy the changed value for the encryption settings.
          I will keep you updated on our progress.


          Thank you for your collaboration!


          Best Regards,

          Kate


          Kate Dulko
          Customer Relations

          The Welkin Suite

          twitter: @KateDulko
          skype id: d_katerina
          e-mail: kate.dulko@welkinsuite.com

           

            

          Back to Bug reports


          Boost Your Productivity. Get Started Today

          Try Free Trial