Rotate Your Encryption Key Material
You control the lifecycle of your data encryption keys by controlling the lifecycle of your key material. Salesforce recommends that you regularly generate or upload new Shield Platform Encryption key material. When you rotate a tenant secret, data encryption key (DEK), or root key, you replace it with either Salesforce-generated key material or key material that you supply.
Required Editions
| Available in both Salesforce Classic (not available in all orgs) and Lightning Experience. |
| Available in: Enterprise, Performance, and Unlimited Editions with the Salesforce Shield or Shield Platform Encryption licenses. |
| Available for free in Developer Edition. |
| User Permissions Needed | |
|---|---|
| To generate, destroy, export, import, upload, and configure tenant secrets and customer-supplied key material: | Manage Encryption Keys |
To decide how often to rotate, consult your security policies. How frequently you can rotate key material depends on the type and environment. For secrets that have restrictions, you can rotate tenant secrets one time per interval.
| Key Material | Key Type | Production Environments | Sandbox Environments |
|---|---|---|---|
| Fields and Files (Probabilistic) | Tenant secret | 24 hours | 4 hours |
| Fields (Deterministic) | Tenant secret | 7 days | 4 hours |
| Entire Database | Database Tenant Secret | 3 months | 3 months |
| Analytics | Tenant secret | 24 hours | 4 hours |
| Event Bus | Tenant secret | 7 days | 7 days |
| Search Index | Tenant secret | 7 days | 7 days |
| Search Index | DEK | 7 days | 7 days |
| Salesforce | Root Key | No restriction | No restriction |
| Salesforce (for Data 360 data) | Root Key | 3 months | 3 months |
| Key Type | Key Statuses |
|---|---|
| AWS Root | Active, Activation Pending, Archived, Canceled, Inactive |
| Salesforce Root (for Data 360 data) | Active, Archived |
| Salesforce Root | Active, Archived, Inactive |
| Search DEK | Active, Archived, Destroyed |
| Tenant Secret | Active, Archived, Destroyed |
A key’s status means the same thing regardless of key type.
- Active
- The key can be used to encrypt and decrypt new and existing data.
- Activation Pending
- The key is generated in Salesforce but waiting for another process to complete activation.
- Archived
- The key can’t encrypt new data. It can be used to decrypt data previously encrypted with this key when it was active.
- Canceled
- The root key activation process is canceled.
- Destroyed
- The key can’t encrypt or decrypt data. Data encrypted with this key when it was active can no longer be decrypted. Files and attachments encrypted with this key can no longer be downloaded.
- Inactive
-
The root key is present but inactive, which prevents DEKs that it controls from encrypting and decrypting data.
Rotate Root Keys and Data Encryption Keys
Shield Platform Encryption encrypts some data stores with key pairs composed of a root key and a data encryption key (DEK). Depending on the data store, you can rotate one or both keys in a key pair. Rotating root keys, which secure DEKs, can help you meet your compliance requirements for key handling. For data stores that allow for customer-managed DEKs, such as search indexes, you can also rotate DEKs. When you rotate a root key, the new root key becomes the active root key. Archived root keys continue to secure existing DEKs. When you rotate a DEK, it’s secured by the active root key.
- From Setup, in the Quick Find box, enter Key Management, and then select Key Management.
- In the Root Key Inventory, select a root key type tab. Click Generate Root
Key, and then follow the prompts for generating a new root key.The new root key becomes the active root key and is used to secure new DEKs. Archived root keys continue to secure older DEKs that were generated when those root keys were active.
- In the Key Management Table, select a key type tab. If that key type supports DEKs, you
see the option to rotate the DEK. Click Generate DEK.The new DEK becomes the active DEK. It’s secured by the active root key and encrypts new data from that time onward. Archived DEKs continue to decrypt data that they had encrypted. Archived DEKs are secured by the root key that was active when the DEK was generated.
Rotate Tenant Secrets
As with other key material, rotate Shield Platform Encryption tenant secrets to help you stay in alignment with your security and compliance obligations.
The key derivation function uses a primary secret (KDF seed, formerly master secret), which is rotated with each major Salesforce release. Primary secret rotation doesn’t affect your encryption keys or your encrypted data until you rotate your tenant secret.
- From Setup, in the Quick Find box, enter Platform Encryption, and then select Key Management.
- In the Key Management Table, select a key type.
- Check the status of the data type’s tenant secrets.
-
Click Generate Tenant Secret or Bring Your Own
Key. If you’re using a tenant secret of your own, upload your encrypted
tenant secret and tenant secret hash.
Note
You can have up to 50 active and archived tenant secrets of each type. For example, you can have 1 active and 49 archived Fields and Files (Probabilistic) tenant secrets, and the same number of Analytics tenant secrets. This limit includes Salesforce-generated and key material that you supply. Database tenant secrets are not included as part of this limit.
If you run into this limit, destroy an existing key before reactivating, rearchiving, or creating a callout to another one. Before destroying a key, synchronize the data it encrypts with an active key.
- When generating a new Fields (Deterministic) tenant secret, a window opens. Read the information in the window, and select the two checkboxes to acknowledge the requirements and data synchronization risks. Then click Generate Tenant Secret.
- If you want to re-encrypt field values with your active key material, synchronize new and existing encrypted data under your most recent and keys. You can sync data from the Encryption Statistics and Data Sync page in Setup.
