Disaster Recovery and Key Management

You have control over the lifecycle of your encryption keys and tenant secrets. Salesforce provides several options for key material, including Salesforce-generated keys, Bring Your Own Key (BYOK), External Key Management (EKM), and the Cache-Only Key service. Salesforce strongly recommends that you regularly rotate your key material to align with security policies.

Key rotation involves generating or uploading new key material, which becomes the active key for new data, while previous keys are archived for decrypting existing data. For data encrypted with Field-Level Encryption, you can synchronize existing data with the new active key. In contrast, Database Encryption does not have a self-service sync option; data is gradually re-encrypted over time as users edit it

For disaster recovery, it is crucial to have a strategy for backing up and archiving your keys and data. You are solely responsible for ensuring that your data and key material are backed up and stored in a safe place. If you destroy a key without a backup, all data encrypted with that key becomes permanently inaccessible. EKM keys, if disabled or deactivated on the external KMS, will also render the associated Salesforce data inaccessible once the key is flushed from the cache.