With Shield Platform Encryption, you can generate unique tenant secrets, root keys, and
DEKs. You can also generate key material using your own external resources. In either case, you
manage your own key material: you can rotate it, archive it, and designate other users to share
responsibility for it.
Required Editions
Note This page is about Shield Platform Encryption,
not Classic Encryption. What's the difference?
Available in both Salesforce Classic (not available in all orgs) and Lightning
Experience.
Available in: Enterprise, Performance, and Unlimited
Editions with the Salesforce Shield or Shield Platform Encryption licenses.
Available for free in Developer Edition.
User
Permissions Needed
To manage key material:
Manage Encryption Keys
Note When you generate or upload new key material for a feature, it becomes the active key
for that feature. Any new data for the feature is encrypted using this key. However,
existing sensitive data remains encrypted using previous keys, which are now archived. In
this situation, we strongly recommend re-encrypting this data with your active key. You can
synchronize your data with the active key material on the Encryption Statistics and Data
Sync.
Rotate Your Encryption Key Material You control the lifecycle of your data encryption keys by controlling the lifecycle of your key material. Salesforce recommends that you regularly generate or upload new Shield Platform Encryption key material. When you rotate a tenant secret, data encryption key (DEK), or root key, you replace it with either Salesforce-generated key material or key material that you supply.
Back Up Your Tenant Secrets Your Shield Platform Encryption tenant secret is unique to your org and to the specific data to which it applies. Salesforce recommends that you export your tenant secret to ensure continued access to the related data.
Destroy Key Material Only destroy Shield Platform Encryption tenant secrets and key material in extreme cases where access to related data is no longer needed. Your key material is unique to your org and to the specific data to which it applies. Once you destroy key material, related data is not accessible unless you import previously exported key material. You can't destroy key material used by Database Encryption.
Require Multi-Factor Authentication for Key Management Multi-factor authentication (MFA) is a powerful tool for securing access to data and resources. Salesforce requires the use of MFA for all logins to your org's user interface. In addition, you can add extra security by also requiring MFA for Shield Platform Encryption key management tasks like generating, rotating, or uploading key material and certificates.
We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required Cookies
Always Active
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional Cookies
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising Cookies
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.
