Key Coordination Policy Setup
Track the status of both the external KMS key and the Salesforce EKM key that depends on it.
Required Editions
| Available in both Lightning Experience and Salesforce Classic (not available in all orgs). |
| Available in: Enterprise, Performance, Unlimited, and Developer Editions. Requires purchasing Salesforce Shield or Shield Platform Encryption, and the External Key Management Service. Data 360 customers must also have the Platform Encryption for Consumption license. |
| User Permissions Needed | |
|---|---|
| To generate, destroy, export, import, upload, and configure tenant secrets and customer-supplied key material: | Manage Encryption Keys |
The relationship between the external KMS key and the Salesforce EKM key is one way. Though the EKM key refers directly to the external key, the external KMS has no reference back to the EKM key. If the external key is inadvertently deleted, encryption and decryption continue until the external key is flushed from the cache. After the external key is flushed from the cache, because the key can’t be retrieved again, no decryption of data that was encrypted with the matching EKM key is possible.
Set up an operational accounting policy that governs how the key states are communicated and managed. If you no longer need an EKM key, you can deactivate it on the Key Management page in Setup. But what do you do with the external key? We recommend that you back it up. To avoid losing access to data, document the who, what, when, where, why, and how of all your key relationships. Make that documentation available to the people who need it.
