Loading
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Encrypt Data 360 with Customer-Managed Root Keys

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Encrypt Data 360 with Customer-Managed Root Keys

            By default, all data in Data 360 is encrypted at rest by a Salesforce-managed data encryption key (DEK). With Platform Encryption for Data 360, you can generate a Data 360 root key in Salesforce setup. Your Data 360 root keys are specific to your org and secure the DEKs that encrypt and decrypt your data. In this way, you control the chain of keys that encrypt your data. if you want to use an external Key Management Server (KMS), you can also use EKM with Data 360.

            Required Editions

            Available in both Lightning Experience and Salesforce Classic (not available in all orgs).
            Available in: Enterprise, Performance, Unlimited, and Developer Editions. Requires purchasing Salesforce Shield or Shield Platform Encryption, and the External Key Management Service. Data 360 customers must also have the Platform Encryption for Consumption license.
            User Permissions Needed
            To generate, destroy, export, import, upload, and configure key material: Manage Encryption Keys
            To view and edit Setup: View Setup and Configuration

            You can generate root keys that encrypt Data 360 data in both production and sandbox environments.

            Important
            Important Because external DLOs are outside of Data 360, data in external DLOs isn't encrypted by Data 360.
            1. From Setup, in the Quick Find box, enter Encryption Settings, and then select Encryption Settings.
            2. Turn on Manage Data Cloud Keys.
              Salesforce generates a root key for you. This triggers the encryption of all previously ingested data in Data 360. When it’s ready, you can see it on the Key Management page under the Data Cloud tab.
            3. If you want to use EKM, you must also turn on Allow External Key Management.
            4. After your root key is created, you can optionally edit the description on your root for easier key identification and auditing. To edit the description:
              1. From Setup, in the Quick Find box, enter Encryption Settings, and then select Key Management.
              2. In the Root Key Inventory section under the Data Cloud tab, click Details.
              3. Click Edit Description.
              4. Add a unique description, and then save your work.
            5. After the initial encryption is complete (check the Encryption Statistics page), if you want to use EKM, follow the process in Connect Salesforce to AWS KMS and Create a Data Encryption Key. If you want to use BYOK for Data 360, follow the process in Encrypt Data 360 with a BYOK Root Key.

            Your initial DEK is immediately used to encrypt new data in Data 360 data sources, including Data 360 search indexes. Salesforce also re-encrypts existing data with your new key material, which can take some time if you have a large amount of data in Data 360. Check the status of this process on the Data Cloud card on the Encryption Statistics page in Setup. You must wait for the initial encryption process to complete before you can rotate your root key or EKM key. Afterwards, you can rotate your Salesforce root key for Data 360 every 3 months.

            Note
            Note Root keys don’t control the DEKs used to encrypt unstructured data flows in Data 360.

            For Sub-Second Real-Time customers who require external key material encryption in Data 360, Salesforce uses tenant level isolation for storing encrypted keys for unified profiles. This isolation ensures that each tenant's data is encrypted with its own keys.

            See Also

             
            Loading
            Salesforce Help | Article