Example of Symmetric Encryption/Decryption using AES256 🔐

Original Record (Text): Encrypt Record

Encryption Key (JWK Format, can be copied and pasted for backup and recovery): Destroy Key! Reload Key from above

Encrypted Data (Ciphertext):

Initialization Vector (IV):

Decrypt Record Decrypted Record (Text):

What is this page?

This page demonstrates symmetric encryption and decryption using the AES algorithm with a 256-bit key (AES256). In symmetric encryption, the same key is used for both encrypting and decrypting the data.

This page is intended for demostration and learning purposes only (in relation to how Shield Platform Encryption works). It was built by the Own Demo Team (#own-demo-team)
Authored by Matt Potts, last updated 25th July 2025. Reviewed by Antoine Mohanna.

What should I try and do?

Try this:

1. Provide an "Original Record" in plain text (such as the word "Salesforce")
2. Encrypt the record (you will then see the encryption key and the ciphertext).
3. Decrypt the data (the ciphertext will be decrypted to plaintext)

Optional:
4. Copy the encryption key onto your clipboard (to mimick a backup of the key)
5. Destroy the key (to mimick revoking a key). The decrypted data will no longer be displayed.
6. Paste the key back in (mimick a recovery). Reload the key. Try decrypting the data again.

The Encryption Process:

1. You provide an "Original Record" in plain text (such as the word "Salesforce")
2. A unique Symmetric Key is generated in your browser. This the encryption key, so is therefore crucial to the process.
3. An Initialization Vector (IV) is used. Its generation depends on the chosen mode:
   • Probabilistic Mode: A random IV is generated for each encryption.
   • Deterministic Mode: A static IV is used.
4. The original data, the symmetric key, and the IV are used by the AES algorithm to produce the "Encrypted Data" (ciphertext).
5. Both the "Encrypted Data" and the "Initialization Vector (IV)" are displayed in Base64 format for easy viewing and transfer. The IV is not secret, but it must be unique for each encryption in probabilistic mode, or consistently applied in deterministic mode.

The Decryption Process:

1. To decrypt, the "Encrypted Data", the same symmetric key, and the same IV that were used during encryption are required.
2. The AES algorithm uses these three pieces of information to reverse the encryption, revealing the "Decrypted Record" (original plain text).

Destroying the key:

You can choose to destroy the key which will remove the decrpyted value along with the key itself. Before destroying the key you can copy the key on your clipboard, allowing you to paste it back in after destroying it. After loading in the pasted key, you can try decrypting the data again. This talks to the need to securly backup encryption keys.

Probabilistic vs. Deterministic Encryption:

The choice between these modes dictates how the Initialization Vector (IV) is handled:

• Probabilistic Encryption: Uses a unique/random IV for every encryption. This means that even if you encrypt the exact same plain text multiple times with the same key, the resulting encrypted data (ciphertext) will be different each time.
• Deterministic Encryption: Uses a static IV for each field (i.e, a different IV for each field). This means that encrypting the exact same plain text with the same key will always produce the identical encrypted data.

The diagram below provides an example of Probabilistic Vs Deterministic encryption in relation to Shield Platform Encryption's Field Level Encryption: