A sandbox org that’s copied, refreshed, or cloned from a source org that uses EKM keys
is granted minimum access to the source org’s keys, so that it can decrypt any encrypted data it
inherited from the source org. A sandbox org can’t manage its source org's keys in any way,
because sandboxes have limited access to those keys. Rotate the keys in a sandbox org as soon as
you create it.
Required Editions
Available in both Lightning Experience and Salesforce Classic (not available in
all orgs).
Available in: Enterprise, Performance, Unlimited, and
Developer Editions. Requires purchasing Salesforce Shield or Shield
Platform Encryption, and the External Key Management Service. Data 360 customers
must also have the Platform Encryption for Consumption license.
User
Permissions Needed
To generate, destroy, export, import, upload, and configure
tenant secrets and customer-supplied key material:
Manage Encryption Keys
When you create, refresh or clone a sandbox, the sandbox retains limited (read only) access
to keys that were used to encrypt data the sandbox inherits. This is so you can decrypt the content.
Providing limited EKM key access is essential to ensure a consistent experience in your
sandbox orgs. We strongly recommend that you rotate your keys on newly created sandbox orgs
and sync your data via Encryption Statistics right away. By rotating your keys, you avoid
complications that could happen if the original encryption keys are deactivated or destroyed.
More specifically:
In order to access their source org’s keys, sandboxes must share their source org's region
when using EKM.
Consider changes in the source org's external KMS Key Policy that restrict source org
access to data encryption keys. These changes propagate to the sandbox orgs that still
depend on those keys at the time of change. If you rotate your keys, your sandbox is
unaffected by changes in the source org’s key policies.
We recommend that you clone a sandbox only after you rotate your keys and sync all the
encrypted data in the original sandbox.
Access to keys is automatically extended at the time of sandbox creation, refresh or clone.
We also remove such access to EKM-based keys at the time of permanent sandbox org deletion.
When you clone a sandbox org (with EKM keys), access is extended only for the EKM keys that
belong to the source sandbox org, not any keys that the sandbox org inherited between the time
the original sandbox was created and the time the clone was created.
We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required Cookies
Always Active
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional Cookies
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising Cookies
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.
