Destroy a Cache-Only Key
When you destroy a cache-only key, you’re destroying two things: the key in the cache and the callout connection to the key service.
Required Editions
| Available in both Salesforce Classic (not available in all orgs) and Lightning Experience. |
| Available in: Enterprise, Performance, Unlimited, and Developer Editions. Requires purchasing Salesforce Shield or Shield Platform Encryption, and the External Key Management Service. |
| User Permissions Needed | |
|---|---|
| To generate, destroy, export, import, upload, and configure tenant secrets and customer-supplied key material: | Manage Encryption Keys |
Warning You are solely responsible for making sure
that your data and key material are backed up and stored in a safe place. Also, due to rotation,
over time you will accumulate a number of keys. You should back them up into source control, and
keep an up-to-date registry of your keys outside of Salesforce. Salesforce can’t help you with
deleted, destroyed, or misplaced tenant secrets and keys. Even if you destroy a key in your
Salesforce org, we strongly encourage you to preserve your backup copy in source control.
- From Setup, in the Quick Find box, enter Platform Encryption, and then select Key Management.
- In the Key Management Table, select a key type.
-
Find your key in the table and click Destroy.
Your key material’s status is changed to Destroyed, and callouts to this key stop. Data encrypted with this key material is masked with “?????” in the app.
Note Your cache-only key is unique to your org and to the specific data to which it applies.
When you destroy a cache-only key, related data isn’t accessible unless you reactivate it
and make sure that Salesforce can fetch it.
Did this article solve your issue?
Let us know so we can improve!
