Key Material Types
With Shield Platform Encryption, you encrypt data with either tenant secrets or a key pair composed of a root key and a data encryption key (DEK). Each type of key material targets specific data stores within Salesforce. You can apply different key-rotation cycles or key-destruction policies to different keys based on the kinds of data that they encrypt.
Required Editions
| Available in both Salesforce Classic (not available in all orgs) and Lightning Experience. |
| Available in: Enterprise, Performance, and Unlimited Editions with the Salesforce Shield or Shield Platform Encryption licenses. |
| Available for free in Developer Edition. |
Types of Tenant Secrets
Tenant secrets are categorized according to the kind of data that they encrypt.
- Fields and Files (Probabilistic)
- Encrypts data using the probabilistic encryption scheme, including data in fields, attachments, and files other than search index files
- Field (Deterministic)
- Encrypts field data by using the deterministic encryption scheme
- Search Index
- Encrypts fields and other data governed by your encryption policy stored in search indexes. Available in non-Hyperforce orgs, and in those Hyperforce orgs that don’t yet use the updated search index framework.
- Database Encryption
- Encrypts all data in the transactional database.
- Analytics
- Encrypts CRM Analytics data
- Event Bus
- Encrypts event messages that are stored temporarily in the event bus. For change data capture events, this secret encrypts data changes and the corresponding event that contains them. For platform events, this secret encrypts the event message including event field data.
You can have up to 50 active and archived tenant secrets of each type. This does not include the Database Encryption tenant secret, which has a different architecture for its tenant secrets. For example, you can have 1 active and 49 archived Fields and Files (Probabilistic) tenant secrets and the same number of Analytics tenant secrets. This limit includes Salesforce-generated and key material that you supply.
If you run into this limit, destroy an existing key before reactivating, rearchiving, or creating a callout to another one. Before destroying a key, synchronize the data that it encrypts with an active key.
Root Keys and Data Encryption Keys
Some Salesforce data can be encrypted with a root key and data encryption key (DEK) pair.
- AWS Root Key
- A root key stored in AWS KMS and referenced by Salesforce, it controls the DEK used to encrypt Salesforce data. Available when External Key Management is enabled, and a connection to AWS KMS is configured.
- Data 360 Root Key
- Wraps the DEK used to encrypt data within Data 360.
- Data Encryption Key (DEK)
- The key material used to encrypt data. DEKs can be either derived by combining a primary key and a tenant secrets, or they can be created by a root key.
- Salesforce Root Key
- Controls the DEK used to encrypt data.
- Search Index DEK
- Controlled by a root key, it encrypts all search indexes. Available in Hyperforce orgs that use the updated search index framework.
