Key rotation refers to the process of updating or changing your key material. You can
edit existing key materials or replace them with new ones. If you edit or update your external
key, make sure to align your external key details across both Salesforce and AWS KMS.
Required Editions
Available in both Lightning Experience and Salesforce Classic (not available in
all orgs).
Available in: Enterprise, Performance, Unlimited, and
Developer Editions. Requires purchasing Salesforce Shield or Shield
Platform Encryption, and the External Key Management Service. Data 360 customers
must also have the Platform Encryption for Consumption license.
User
Permissions Needed
To generate, destroy, export, import, upload, and configure
tenant secrets and customer-supplied key material:
Manage Encryption Keys
Keep these considerations in mind when rotating external keys.
If you deactivate or destroy external keys, encrypted key material is evicted from the
cache.
If you disable, deactivate, or delete the external key or an associated Salesforce
data-encryption key, related Salesforce data encrypted with that key is no longer
accessible.
As a best practice, rotate data encryption keys in sandboxes after a refresh. Rotation
ensures that production and sandbox orgs use different data encryption keys. You can’t activate
or deactivate in a sandbox an external key created in production.
From Setup, in the Quick Find box, enter Platform Encryption, and
then select Key Management.
Click Manage External Keys.
Choose to either use the latest configuration of the current key or to use a different
key.
Complete the steps on screen.
Store or version your old keys securely, in case you need them again someday. Communicate the
change you made so others who need to know are aware.
We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required Cookies
Always Active
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional Cookies
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising Cookies
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.
