However unlikely you feel data theft might occur, there are some markets and government regulations that require data encryption. Salesforce offers two ways to help ensure your application data is stored in data centers in an encrypted form. There are two options to consider for encrypting field values at rest, that is, records physically stored on permanent storage:

• Classic Encryption: Encrypted fields leverage 128-bit master keys and use the Advanced Encryption Standard (AES) algorithm to store values; they are displayed using a character mask (currently not developer-definable). Such fields are packageable, though this only applies to text fields.
• Platform Encryption: Customers that have purchased the Salesforce Shield add-on can enable 256-bit AES encryption for certain standard fields and Custom Fields of their choosing. It can be applied to email, phone, text, text area, URL, and date and date/time fields. While the encryption level is higher, this facility does come with some significant restrictions – these are covered in the next section.

Encrypted field values are visible to those who have the View Encrypted Data permission, which is a facility that may not be something your requirements tolerate. This also includes users whom you grant login access to, such as through subscriber support. Apex, Visualforce Page, Lightning Components, and Validation Rule logic you package can see unencrypted values, so extra care is needed by developers if you want to mask field values. If your only concern is compliance with encryption at rest, this may not be such an issue for you.