With EKM you can use your key material housed in an external KMS. If you are currently
using a Salesforce-generated root key or DEK, and you want to move to EKM, you can if the Shield
Platform Encryption feature supports EKM. EKM is currently available for Platform Encryption for
Data 360, Fields and Files (probabilistic), Fields (deterministic), Event Bus, and Shield
Platform Encryption Search Indexes.
Required Editions
Available in both Salesforce Classic (not available in all orgs) and Lightning
Experience.
Available in: Enterprise, Performance, and Unlimited
Editions with the Salesforce Shield or Shield Platform Encryption licenses.
Available for free in Developer Edition.
Prepare to use EKM
To prepare for External Key Management we recommend these steps:
Pay special attention to the section EKM Prerequisites. We currently
support AWS KMS only, and you will need to create your key material there.
Rotating To and From EKM
You can rotate to EKM, and rotate back to a Salesforce tenant secret (or BYOK, if the
feature supports it). To the Shield Platform Encryption process, it's just another secret.
The topic Work with
Salesforce Key Material describes key rotation concepts, considerations, and
limitations.
EKM Considerations Take care when managing your external keys. Your Salesforce application depends on your external keys to encrypt and decrypt your data. If the key status changes, your users could permanently lose access to encrypted data.
We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required Cookies
Always Active
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional Cookies
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising Cookies
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.
