You are here:
On-Demand Tenant Secret Generation
Customers can generate or upload key material every 24 hours in their production or Developer Edition orgs, and every 4 hours in sandbox orgs. Field-Level Encryption key material can be destroyed at any time. When a customer generates new key material, all future data is encrypted with the new final data encryption key (DEK). This DEK is derived by default. Customers can opt out of derivation and supply their own DEK.
The on-demand FLE tenant secret or database tenant secret is generated by the regional Shield KMS.
The process of generating one of these tenant secrets includes these steps.
- An admin attempts to generate a new tenant secret by using the UI or API.
- The encryption service sends an authenticated request to the regional Shield KMS.
- The regional Shield KMS generates the tenant secret (TS).
- The regional Shield KMS encrypts the tenant secret with the per-release tenant wrapping key.
- The regional Shield KMS sends the encrypted tenant secret back to the encryption service running on the Lightning Platform. In the case of Database Encryption, the database tenant secret is sent directly to the transactional database.
- The encryption service stores the encrypted tenant secret securely in the database. The encrypted tenant secret is used to derive the org’s specific data encryption keys on demand. This encrypted tenant secret can only be decrypted in the regional Shield KMS.
Did this article solve your issue?
Let us know so we can improve!
