What I really liked about Salesforce encryption platform Shield is the strategy "Encryption at rest". Each and every field in Salesforce that is marked for encryption in encryptedusing two keys. There, one is generated by Salesforce and the other is known as the tenant key. I takes four hours for the tenant key to be generated. These keys are not familiar to Salesforce and are exported by clients and then Salesforce deletes them. Once they are deleted, the encrypted data cannot be decrypted unless the same key is imported. However, Salesforce introduced "Bring Your Own Key" - BYOK strategy where clients generate their own key and provide them to Slaesforce for encryption.
Moreover, the performance degredation is low because the encryption process takes place inside Salesforce.
Another important feature I liked was that I could monitor the user activity providing visibility. Then the application usage could be tracked. In case of customer's compliance need, custom policies could be defined.
I could retain field history for 10 years and had 60 fields per object. As the data was encrypted at Rest,there were no impact on integration or workflow. Like other Salesforce products, it gets updated.
What I disliked about the Salesforce encryption platform Shield is that it is expensive. There are many kinds of data types that are not supported by the Salesforce Shield. It is another drawback of Shield that not all standard fields are supported. Neither are the different kinds of objects. These are the cons of the Shield.
Though Shield is expensive but it a well maintained encryption platform by Salesforce. So,reconsidering the few cons, Shield is a well recommended encryption platform worth a try.