Key Management and Rotation

With Shield Platform Encryption, you control and rotate the key material used to encrypt your data. You can use Salesforce to generate a tenant secret for you, which is then combined with a primary secret for each release to derive a data encryption key. This derived data encryption key is then used in encryption and decryption functions. You can also use the Bring Your Own Key (BYOK) service to upload your own key material. Or you can store your key material outside of Salesforce. Use the External Key Management Service or the Cache-Only Key Service to fetch your key material on demand.

Required Editions

Available in both Salesforce Classic (not available in all orgs) and Lightning Experience.

Available in: Enterprise, Performance, and Unlimited Editions with the Salesforce Shield or Shield Platform Encryption licenses.

Available for free in Developer Edition.

User Permissions Needed
To manage key material:	Manage Encryption Keys

Note This content relates to Shield Platform Encryption. Read about implementing field-level encryption using Shield Extension in Own from Salesforce.

Important Where possible, we changed noninclusive terms to align with our company value of Equality. We maintained certain terms to avoid any effect on customer implementations.

Key management begins with assigning appropriate permissions to security administrators. Assign permissions to people you trust to encrypt data, manage certificates, and work with key material. It’s a good idea to monitor these users’ key management and encryption activities with the Setup Audit Trail. Authorized developers can generate, rotate, export, destroy, reimport, and upload tenant secrets by coding a call to the TenantSecret object in the Salesforce API.

• Work with Salesforce Key Material
  With Shield Platform Encryption, you can generate unique tenant secrets, root keys, and DEKs. You can also generate key material using your own external resources. In either case, you manage your own key material: you can rotate it, archive it, and designate other users to share responsibility for it.
• Get Statistics About Your Encryption Coverage
  The Encryption Statistics page provides an overview of all data encrypted with Shield Platform Encryption. This information helps you to stay on top of your key rotation and management tasks. You can also use encryption statistics to identify which objects and fields you may want to update after you rotate your key material.
• Synchronize Your Data Encryption with the Background Encryption Service
  Periodically, you change your encryption policy. Or you rotate your keys. To get the most protection out of your encryption strategy with Shield Platform Encryption, synchronize new and existing encrypted data under your most recent encryption policy and keys. You can do this yourself or ask Salesforce for help.
• Work with External Key Material
  So you can maintain more complete control over your key material, Salesforce offers you three options: BYOK (Bring Your Own Key), EKM (External Key Management), and the Cache-Only key service.

See Also

• Monitor Setup Changes with Setup Audit Trail
• Strengthen Your Data’s Security with Shield Platform Encryption