Shield Platform Encryption (Add-On) Encryption Policy - Salesforce Managed Keys

Control Name

Shield Platform Encryption Policy - Salesforce Managed Keys - Probabilistic Tenant Secret

Recommended Configuration

Setup>Platform Encryption>Encryption Settings>Enable Generate Initial Probabilistic Tenant Secret.

Configure, and turn Probabilistic Tenant Secret and use the resulting Fields and Files tenant secret to encrypt fields, files, and attachments.

Control Overview

Enable Tenant Secrets and rotate periodically.

Security Risk If Not Configured

Unauthorized employees may be able to view sensitive PII (Personally Identifiable Information) when encryption is not enabled, and exposed keys may lead to ineffective encryption control. By rotating keys regularly (for example, every year), a leaked key only grants access to specific data. The rest of your data remains safe under different keys.

Threat Scenarios

Without Encryption Key Management, an exposed key can be used by threat actors to gain access to encrypted sensitive data.

Estimated CVSS Score Range

Critical (9.0–10.0).

Risk Impact Considerations

Depending on the sensitive data stored in the platform and regulatory requirements that the company must comply with.

Higher Risk When

Encryption is not enabled and keys are not rotated or exposed to many users and external applications.

Low or No Risk When

This control can be considered low risk when one or more of the following are implemented:

• Uses Your Own Encryption Key with External Key Management.
• Access to keys is restricted by using MFA

Business and Integration Considerations

Customers should evaluate the business justification for managing keys to encrypt data.

Recommended Remediation

Depending on the requirement, enable Key Encryption Management that aligns with company policy and compliance requirements, either Salesforce Managed Keys or Bring Your Own Keys.

Security Health Review Guidance

N/A - Currently not inspected by the Security Health Review tool.