Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Encrypt Search Index Files with a Root Key

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Encrypt Search Index Files with a Root Key

            In orgs that use the updated search index framework, you use a DEK that’s secured by a root key in the search index encryption process. Sometimes you must search for personally identifiable information (PII) or for data that’s encrypted in the database. When you search your org, the results are stored in search index files in plaintext — a potential vulnerability. You can encrypt these search index files with Shield Platform Encryption, adding another layer of security to your data.

            Required Editions

            Available in both Salesforce Classic (not available in all orgs) and Lightning Experience.
            Available in: Enterprise, Performance, and Unlimited Editions with the Salesforce Shield or Shield Platform Encryption licenses.
            Available for free in Developer Edition.
            User Permissions Needed
            To generate, destroy, export, import, upload, and configure tenant secrets and customer-supplied key material: Manage Encryption Keys

            With the Spring ‘24 release, we began migrating Hyperforce orgs to a new search index encryption architecture. This architecture, available only for Hyperforce orgs, gives you with the ability to control the root key that generates and encrypts the data encryption key (DEK) for your search indexes. The migration is gradual, so it’s possible that you’re still using the legacy search index encryption. We notify you when your org is using the new architecture.

            For orgs that use the updated search index framework, we create the first root key and data encryption key (DEK). Your search indexes are then generated using the new architecture with the new DEK. The old search index tenant secrets are used only until the new search index framework is in place. After your indexes have been reindexed by using the new framework, your old search index tenant secrets are no longer used.

            Your search index encryption root key and DEK are both visible on the Key Management page in Setup. The root key that secures a DEK is visible in the Key Management Table. Just like other keys in Salesforce, you can rotate root keys and DEKs for control over your key lifecycle and encryption policy.

            Search index DEKs are never stored unwrapped. When needed, they’re unwrapped by the root key and cached for immediate use by the search index service.

            1. From Setup, in the Quick Find box, enter Encryption Settings, and then select Encryption Settings.
            2. In the Encryption Policy section, turn on Encrypt Search Indexes.
              Salesforce begins creating your root key and DEK. You’re notified when the new DEK is ready.
            3. From Setup, in the Quick Find box, enter Platform Encryption, and then select Key Management.
            4. In the Key Management Table, select Search Index.
              Review the page. When the new DEK is Active, your search indexes are being encrypted.

            See Also

             
            Loading
            Salesforce Help | Article