Loading
Salesforce now sends email only from verified domains. Read More
About Salesforce Data 360
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Root Key Lifecycle

            You are here:

            1. Salesforce Help
            2. Docs
            3. Data 360

            Root Key Lifecycle

            Root key statuses in Platform Encryption define the usage of each key for data encryption and decryption.

            Required Editions

            Available in: All Editions supported by Data 360. See Data 360 edition availability.
            Available with add-on license: Enterprise, Performance, Unlimited, and Developer Editions. Requires purchasing Salesforce Shield or Shield Platform Encryption, and Platform Encryption for Data Cloud. Also, to use the optional External Key Management, requires purchasing the Platform Encryption for Consumption license.

            Each status impacts the key's availability and functionality within the encryption lifecycle.

            • Active: The root key is visible in the Salesforce Platform Encryption UI and encrypts new data. All write options use this key to ingest new data from this point forward. Only one root key can be active at a time.
            • Archived: When a new root key is generated, the previous key is archived. Archived keys remain available for decrypting existing data but aren't used for encryption of new data.
            • Inactive: A root key becomes inactive when manually deactivated in the Salesforce Platform Encryption UI. In this state, the root key is no longer usable for encryption or decryption. Data encrypted with this key is inaccessible until the key is reactivated through the Salesforce UI.
            • Unavailable (EKM only): This status applies only when using External Key Management (EKM). A root key becomes unavailable when it’s deactivated in the external key manager, such as AWS KMS. This status behaves similarly to Inactive. Before Data 360 processes start failing, customers get notified by email.
            • Cancelled: Key is abandoned explicitly. This allows customer to generate a different key.

            To reactivate the inactive or unavailable keys, see Reactivate an EKM Key. Reactivate the key within 48 hours to avoid data loss in Data 360.

            Key States for BYOK

            • Pending Setup completion: Salesforce has created the empty key wrapper in AWS KMS, and the system is waiting for you to upload the wrapped key material and token.
            • Active: The key is active and its identifier appears in the UI.
            • Archived: The key is archived after you generate a new root key. Archived keys can decrypt existing data but can’t encrypt new data. Decryption continues to work as soon as the key enters the archived state.
            • Inactive: The key becomes inactive when you deactivate it in the Salesforce UI. Inactive keys can’t encrypt or decrypt data. Any data encrypted with this key becomes inaccessible until you reactivate it.
            • Cancelled: You explicitly canceled the key. After cancellation, you can generate a new key.

            See Also

             
            Loading
            Salesforce Help | Article