Loading
Ongoing maintenance for Salesforce HelpRead More
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            EKM Considerations

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            EKM Considerations

            Take care when managing your external keys. Your Salesforce application depends on your external keys to encrypt and decrypt your data. If the key status changes, your users could permanently lose access to encrypted data.

            Required Editions

            Available in both Lightning Experience and Salesforce Classic (not available in all orgs).
            Available in: Enterprise, Performance, Unlimited, and Developer Editions. Requires purchasing Salesforce Shield or Shield Platform Encryption, and the External Key Management Service. Data 360 customers must also have the Platform Encryption for Consumption license.
            User Permissions Needed
            To generate, destroy, export, import, upload, and configure tenant secrets and customer-supplied key material: Manage Encryption Keys
            • Make sure that your encryption policy includes key-rotation and key-backup strategies as safeguards against unplanned key loss. Deactivate operations evict encrypted key material from the cache. If the external key or the associated Salesforce data encryption keys are disabled or deactivated, related Salesforce data encrypted with them is no longer accessible.
            • External keys created in production can’t be activated or deactivated in sandboxes, and they can only be used for decryption in the sandbox. Create a new root key for the sandbox and rotate sandbox data encryption keys immediately after a refresh. Rotation ensures that production and sandbox orgs use different data encryption keys, and that you’ll have full control over them.
            • If a key isn’t available on the external KMS, after the key is flushed from the cache, neither encryption nor decryption is possible. Users who try to access encrypted data see three question marks (???) instead of the ciphertext. Any attempts to write data to encrypted fields fail. Users see an error message that says the key is unavailable.
            • When the external key isn’t available, we change the status of the key to Unavailable. This means we stop trying to call the external KMS to get the key. You can check the connection to attempt to reconnect to the key and update its status.
            • Platform Encryption for Data 360 manages EKM root keys only, not data encryption keys.
            • Unlike Salesforce Shield, which can have separate keys for different features (such as for Fields and Files, and for Search Indexes), Data 360 can use only one: either a single EKM root key or a Salesforce root key (also known as a customer managed key) for all its data.
            • For Data 360, migrating from a customer managed key to EKM affects only new data in Data 360 data sources. Migrating from an EKM key back to a customer managed key triggers a re-encryption of all data in Data 360 data sources.
            • If you’re using EKM, you can still rotate the other types of keys available to your product (EKM, BYOK, Cache-only key, or a Salesforce-generated key).

            See Also

             
            Loading
            Salesforce Help | Article