encrypted-field-query-patterns
Design SOQL, filters, reporting, and indexes against Shield Platform Encryption fields. Trigger keywords: Shield Platform Encryption, encrypted field query, probabilistic vs deterministic encryption, encrypted SOQL filter, encrypted field index. Does NOT cover: Classic Encryption (deprecated), field-level security policy, or tenant secret key rotation.
Best use case
encrypted-field-query-patterns is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Design SOQL, filters, reporting, and indexes against Shield Platform Encryption fields. Trigger keywords: Shield Platform Encryption, encrypted field query, probabilistic vs deterministic encryption, encrypted SOQL filter, encrypted field index. Does NOT cover: Classic Encryption (deprecated), field-level security policy, or tenant secret key rotation.
Teams using encrypted-field-query-patterns should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/encrypted-field-query-patterns/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How encrypted-field-query-patterns Compares
| Feature / Agent | encrypted-field-query-patterns | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Design SOQL, filters, reporting, and indexes against Shield Platform Encryption fields. Trigger keywords: Shield Platform Encryption, encrypted field query, probabilistic vs deterministic encryption, encrypted SOQL filter, encrypted field index. Does NOT cover: Classic Encryption (deprecated), field-level security policy, or tenant secret key rotation.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Encrypted Field Query Patterns ## The Core Constraint Shield Platform Encryption changes SOQL semantics. Plan the queries FIRST, then choose the encryption scheme. Reversing that order means rebuilding schemas later. ## Scheme Matrix | Scheme | Use Case | SOQL Support | |---|---|---| | **Probabilistic** | Max security, display-only | NO filter, NO sort, NO group by, NO index | | **Deterministic (case-sensitive)** | Exact match required | `=`, `IN`, joins, unique indexes; NO range, NO LIKE | | **Deterministic (case-insensitive)** | Exact match, case-agnostic | `=`, `IN`; NO range, NO LIKE | No scheme supports `LIKE` on encrypted fields. No scheme supports range (`>`, `<`, `BETWEEN`) operators. ## Decision By Query Pattern | Query | Scheme | |---|---| | Display only (never filter) | Probabilistic | | Lookup by exact value | Deterministic (case-sensitive if value is case-stable) | | Customer search by name (case-agnostic) | Deterministic case-insensitive | | Range query (date, amount) | **Do not encrypt** — use field-level security + masking | | LIKE search | **Do not encrypt** — or store a derived hash/index field | | Sort by field | Only if you rely on display order, not SOQL ORDER BY | ## Indexing - Custom indexes on deterministic encrypted fields are supported for equality filters. - Standard indexes (lookup, master-detail) are not automatically present on encrypted fields — request a custom index. - Query selectivity degrades if the encrypted field has low cardinality post-encryption. ## Aggregation And Reporting - GROUP BY on encrypted field: supported only with deterministic. - SUM / AVG on an encrypted number: generally not supported — leave aggregatable numerics unencrypted unless compliance requires. - Reports with filters on encrypted fields: equality works for deterministic; others fail at runtime. ## Apex Patterns Encrypted fields read and write transparently in Apex for users with "View Encrypted Data" permission. Without that permission, reads return masked values (`*********`). Plan for: - Test users with both modes. - Avoid logging encrypted values in `System.debug` even when you have permission — Event Monitoring / debug logs may persist. ## Recommended Workflow 1. Enumerate every query / report / list view / filter that touches each candidate field. 2. Classify each query: exact, range, LIKE, aggregate, display. 3. Apply the scheme matrix. Flag fields where encryption blocks a required query. 4. For blocked fields, decide: drop the requirement, skip encryption, or derive a hashed index field (one-way). 5. Request custom indexes on deterministic fields used as filters. 6. Test with both "View Encrypted Data" and masked users. 7. Document the scheme per field in a schema decision log. ## Official Sources Used - Shield Platform Encryption Overview — https://help.salesforce.com/s/articleView?id=sf.security_pe_overview.htm - Deterministic Encryption — https://help.salesforce.com/s/articleView?id=sf.security_pe_deterministic_encryption.htm - Encrypted Fields In SOQL — https://help.salesforce.com/s/articleView?id=sf.security_pe_apps_soql.htm
Related Skills
mfa-enforcement-patterns
Design MFA enforcement: auto-enablement, Salesforce Authenticator rollout, exceptions, service accounts, API-only users, SSO interop, and audit. Trigger keywords: MFA, multi-factor, two-factor, Salesforce Authenticator, MFA exception, MFA SSO, api-only MFA. Does NOT cover: end-user password policies, device-trust posture, or non-Salesforce IdP configuration.
field-audit-trail
Salesforce Shield Field Audit Trail: configuration, retention policies, querying archived field data, compliance requirements. NOT for field history tracking (use field-history-tracking).
apex-managed-sharing-patterns
Grant row-level access programmatically via __Share records when declarative sharing rules cannot express the policy. NOT for OWD, role hierarchy, or criteria-based sharing rule design.
omnistudio-testing-patterns
Use when testing or validating OmniStudio components — OmniScript preview, Integration Procedure step debugging, DataRaptor field-mapping validation, and end-to-end UTAM-based automation. NOT for Apex unit testing or standard Flow debugging.
omnistudio-field-mapping-governance
Govern DataRaptor field mappings to prevent runtime errors when source metadata changes: naming, versioning, and dependency tracking. NOT for DataRaptor authoring fundamentals.
omnistudio-error-handling-patterns
Use when designing fault behavior across Integration Procedures, DataRaptors, OmniScripts, and FlexCards — error routing, user-facing messaging, retry semantics, and idempotency. Triggers: 'omnistudio error', 'integration procedure fault', 'dataraptor error handling', 'omniscript retry', 'flexcard action failure'. NOT for general Apex exception design or Flow fault paths.
omnistudio-ci-cd-patterns
Use when designing or implementing CI/CD pipelines for OmniStudio components — DataPack export/import, versioning, environment promotion, and automated deployment. NOT for standard Salesforce metadata CI/CD or Apex-only pipelines.
omniscript-design-patterns
Use when designing or reviewing OmniScripts for guided experiences, step structure, branching, save/resume, and the boundary between OmniScript, Integration Procedures, DataRaptors, and custom LWCs. Triggers: 'omniscript design', 'too many steps in omniscript', 'save and resume omniscript', 'branching in omniscript', 'when should this be an integration procedure'. NOT for deep Integration Procedure or DataRaptor design when the guided interaction layer is not the main concern.
integration-procedure-cacheable-patterns
Use when designing Integration Procedures (IPs) with platform cache to cut latency and callout load. Covers cache key design, TTL selection, per-user vs org-wide partitions, invalidation on data changes, and safe fallback on cache miss/stale. Does NOT cover general IP authoring (see omnistudio-error-handling-patterns) or LWC client-side caching.
flexcard-design-patterns
Use when designing, building, or reviewing OmniStudio FlexCards — including data source selection, card states, actions, conditional visibility, flyout configuration, and child card iteration. Triggers: 'FlexCard', 'card template', 'flyout', 'card action', 'card state', 'data source', 'child card', 'conditional visibility'. NOT for OmniScript design, standalone LWC development, or Apex controller architecture outside the FlexCard context.
dataraptor-patterns
Use when designing or reviewing OmniStudio DataRaptors, especially Extract versus Turbo Extract versus Transform versus Load, field mapping strategy, performance tradeoffs, and when to move work into Integration Procedures or Apex. Triggers: 'DataRaptor Extract', 'Turbo Extract', 'DataRaptor Load', 'DataRaptor Transform', 'OmniStudio data mapping'. NOT for overall OmniScript journey design or Integration Procedure sequencing when the main question is not the DataRaptor shape itself.
wire-service-patterns
Use when designing or reviewing Lightning Web Components that use `@wire`, Lightning Data Service, UI API, or the GraphQL wire adapter, especially for reactive parameters, cache behavior, and refresh strategy. Triggers: 'wire service', 'refreshApex', 'reactive parameter', 'getRecord', 'wire vs imperative Apex'. NOT for component communication or generic lifecycle issues when data provisioning is not the main concern.