An Overview on Database Encryption

Utlizing database encryption in Snapforce.

How it works?

All database transactions are signed and verified using HMAC-SHA256; keyed-hash message authentication code (HMAC).

Definition - This definition is taken from RFC 2104:


H is a cryptographic hash function,
K is the secret key,
m is the message to be authenticated,
K' is another secret key, derived from the original key K (by padding K to the right with extra zeroes to the input block size of the hash function, or by hashing K if it is longer than that block size),
|| denotes concatenation,
⊕ denotes exclusive or (XOR),
opad is the outer padding (0x5c5c5c…5c5c, one-block-long hexadecimal constant),
and ipad is the inner padding (0x363636…3636, one-block-long hexadecimal constant).

How to use?

First, if you don't already have data encryption enabled, you'll need to open a support ticket and have the feature provisioned.

Features included?

Once configured the following options are available:

  • Enable the ability to self-manage encryption keys that are associated with your Snapforce CRM.

  • Generate new encryption keys if needed.

  • Lock your Snapforce CRM database.

  • Unlock your Snapforce CRM database.

Optional features include:

  • Complete database encryption - this is usually only necessary should all data within your database need to be encrypted; Snapforce uses your key to decrypt the data automatically when users view the application.
  • Field Level database encryption - this is what most customer implementations consist of; a pre determined set of database columns in which it's data is encrypted. Select users who need read access to the encrypted columns would maintain a copy of the key to use when viewing an encrypted field. The user would click the decrypt button on the field and be prompted for the key, if the key entered matches correctly the data will be decrypted for the user to read.

Downsides to Database Encryption

There is a two click process to decrypt a field. The only downside is a bit of added work for your user's who will need to decrypt the data before being able to read it. With more security comes more user obstacles for viewing your data, essentially leaving your system a bit more difficult to use with each added layer of security.


  • Changing the encryption key can be a time consuming process if your database is large.
  • Only provide a key to users who absolutely need access to the sensitive data.