Generate a Tenant Secret with Salesforce
For new customers and admins setting up field-level encryption, generate your first probabilistic and deterministic tenant secrets from the Encryption Settings page. You can also generate any tenant secret from the Key Management page.
Required Editions
| Available in both Salesforce Classic (not available in all orgs) and Lightning Experience. |
| Available in: Enterprise, Performance, and Unlimited Editions with the Salesforce Shield or Shield Platform Encryption licenses. |
| Available for free in Developer Edition. |
| User Permissions Needed | |
|---|---|
| To generate, destroy, export, import, upload, and configure tenant secrets and customer-supplied key material: | Manage Encryption Keys |
Generate an Initial Probabilistic or Deterministic Tenant Secret
If you’re just getting started with Shield Platform Encryption, you can accomplish a number of your setup tasks on the Encryption Settings page in Setup. Start by turning on settings that generate your first tenant secrets for you. You can then turn on other settings that apply those keys to data, or go to the Encrypt Fields page to apply those tenant secrets to individual fields.
When you turn on settings that generate your first probabilistic and deterministic tenant secret, other settings on the Encryption Settings page become available to you.
- From Setup, in the Quick Find box, enter Platform Encryption, and then select Encryption Settings.
- Turn on one or both of the settings that create an initial tenant secret for you.
- Turn on Generate Initial Probabilistic Tenant Secret. Use the resulting Fields and Files (Probabilistic) tenant secret to encrypt most fields, files, and attachments. This tenant secret must be present before you can generate a deterministic tenant secret.
- Turn on Generate Initial Deterministic Tenant Secret. Use this option to apply the Fields (Deterministic) encryption scheme to fields. This scheme is useful if you want to encrypt fields individually while retaining the ability to sort, filter, and query the contents of those fields.
Salesforce generates a tenant secret for you. Settings that require an active tenant secret become available on the Encryption Settings page.
With an active tenant secret, you can immediately encrypt custom fields in managed packages or field history and feed tracking values on the Encryption Settings page. You can also go directly to the Encrypt Standard Fields page where you apply tenant secrets to individual fields. See your tenant secrets in the Key Management Table on the Key Management page in Setup.
Create All Tenant Secret Types
New and existing customers can generate tenant secrets of every type on the Key Management page in Setup. This page includes tenant secrets for FLE, the transactional database, the event bus, and search index tenant secrets (for orgs not yet migrated to the new search index framework).
- From Setup, in the Quick Find box, enter Platform Encryption, and then select Key Management.
- In the Key Management Table, select a key type.
- Click Generate Tenant Secret.How often you can generate a tenant secret depends on the tenant secret type. You can generate tenant secrets for the Fields and Files (Probabilistic) type once every 24 hours in production orgs, and once every 4 hours in Sandbox orgs. You can generate tenant secrets for the Search Index type once every 7 days.
You can have up to 50 active and archived tenant secrets of each type. For example, you can have 1 active and 49 archived Fields and Files (Probabilistic) tenant secrets, and the same number of Analytics tenant secrets. This limit includes Salesforce-generated and customer-supplied key material.
If you run into this limit, destroy an existing key before reactivating, rearchiving, or creating a callout to another one. Before destroying a key, synchronize the data that it encrypts with an active key.
