Common key operations include auditing, deactivating, reactivating, rotating, and
checking the connection to your external keys. These operations affect the keys identified in
your Salesforce setup. The original keys in the external KMS are managed by a separate external process.
Required Editions
Available in both Lightning Experience and Salesforce Classic (not available in
all orgs).
Available in: Enterprise, Performance, Unlimited, and
Developer Editions. Requires purchasing Salesforce Shield or Shield
Platform Encryption, and the External Key Management Service. Data 360 customers
must also have the Platform Encryption for Consumption license.
User
Permissions Needed
To generate, destroy, export, import, upload, and configure
tenant secrets and customer-supplied key material:
Manage Encryption Keys
Audit an EKM Key In this context, auditing means examining the details about the EKM key, such as when it was last modified. You can also view each external key’s unique policy.
Deactivate an EKM Key When you want to revoke all access to encrypted data, or rotate keys as a part of planned maintenance, you can deactivate key material. The effect of deactivating key material is similar to that of deleting a key. Your data remains encrypted, but it can’t be decrypted.
Reactivate an EKM Key You can make a previously deactivated key active again. When a key is reactivated, data previously encrypted with the key can be decrypted and viewed.
Rotate an EKM Key Key rotation refers to the process of updating or changing your key material. You can edit existing key materials or replace them with new ones. If you edit or update your external key, make sure to align your external key details across both Salesforce and AWS KMS.
Check the Connection to Your EKM Key You can check the connection between Salesforce and your external key management service. This information can help you troubleshoot problems when you configure your key policy.
Did this article solve your issue?
Let us know so we can improve!
Loading
Salesforce Help | Article
Cookie Consent Manager
General Information
Required Cookies
Functional Cookies
Advertising Cookies
General Information
We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required Cookies
Always Active
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional Cookies
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising Cookies
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.
