. View the Archive Console

You are here:

View the Archive Console

View multiple Archive instances and their statuses from one platform in Archive Console.

Note This content relates to Archive. For Salesforce Archive, see Store Data Externally with Salesforce Archive.

From the Archive Console you can:

Add or remove instances of the Archive managed package.
Manage your Bring Your Own Key (BYOK) and BYOK-KMS activities.
Import, create, and edit policies.
Manage and review all system activities.

To access the console:

Go to the Archive tab.
Note If you're an Archive-only customer, you're required to create a Recover account first.
From the Welcome page, first-time users can add an existing or new service. Follow the steps listed in Add and Manage Archive Console Services on this page.
If you aren't a first-time user and have archived services with a backup, the Archive Console opens on the Service Management page.
From the Service Management page, you can:
- Manage BYOK.
- Monitor service health.
  The Health Monitor page indicates the health and performance across all your Archive Services from the last 30 days. These metrics are based on multiple parameters related to the amount of data you archive and the status of your Salesforce instance. In the first month that an org has been activated, the data accumulation process can take up to a month to complete.
  The Health summary is shown for all orgs. To view the Health summary, click Health.

Archive Console Mapping Regions
The connections between your Platform Region, Archive Console, and the Archive managed package.
Add and Manage Archive Console Services
Add new and existing services to the Archive Console in the Archive managed package, and edit and remove them if required.
Archive Console Dashboard Overview
Archive Console dashboard gives you an immediate overview of the health of your organization in terms of data trends in the Archive managed package. Let's examine the data displayed in the dashboard.
Archive Console Activities Tab
Set up a customized view of the fields displayed in the Activities log in the Archive managed package.
Archive Console Policies Tab
The Policy tab shows existing archive and purge policies defined from Archive Console in the Archive managed package. You can edit, view, search, run, disable, and delete an active Archive policy from here.
Create Archive Policies from Archive Console
Archive Console offers these features for managing policies in the Archive managed package.
Import Service Policies to Archive Console
You can import policies from your Salesforce service to the Archive Console in the Archive managed package.
Manage Policies from the Archive Console
Manage Archive policy operations, including Edit, View, Preview, Run Now, Enable/Disable, Delete, and Clone from the Archive Console in the Archive managed package.
Archive Multi-Level Objects
Salesforce data consists of complex hierarchical relationships, where records are interdependent across multiple levels. For example, an Account has associated Contacts, which are linked to Tasks, and so forth. Hierarchies can span multiple levels, and the Archive Console in the Archive managed package supports multi-level archiving up to 10 levels deep, ensuring descendant records are archived with the root object.
Enable Archiving of Over 800 Lookups for Each Root Record
When archiving a root record, such as an Order, Case, or custom object, that has over 800 lookup records, the Archive managed package has a dedicated setting to handle archiving and purging.
Abort an Operation from the Archive Console
Abort a running Archive activity from the Archive Console in the Archive managed package. This process is identical for Unarchive and Export activities.
Unarchive from the Archive Console
Restore archived records in your org by reverting a completed operation directly from the Activities log in the Archive managed package.
Bring Your Own Key (BYOK, BYOKMS, and BYOKV) for Archive
Understand the differences among Bring Your Own Key (BYOK), Bring Your Own Key Management Service (BYOKMS) and Bring Your Own Key Vault (BYOKV) for Archive.
Bring Your Own Key Vault (BYOKV) for Archive
Encrypting the storage account used to store your data using your Azure Key Vault (AKV) gives you sole access and management capabilities of the key used to encrypt the Azure Blob Storage account where your data is stored.
Bring Your Own Key (BYOK) for Archive (AWS)
To add a layer of security to your data, create your own encryption keys with Bring Your Own Key (BYOK). When you add an activated encryption key to an Archive service, your data is moved to a dedicated AWS S3 bucket, which is encrypted at rest with the key. When AWS customers create the S3 bucket, a dedicated Elasticsearch instance is created and then encrypted with the customer key.
Bring Your Own Key (BYOK) for Archive (Azure)
To add a layer of security to your data, create your own encryption keys with Bring Your Own Key (BYOK). When you add an activated encryption key to an Archive service, your data is moved to a dedicated Azure Blob Storage account, which is encrypted at rest with the key. When Azure customers create the Blob Storage account, a dedicated Elasticsearch instance is created and then encrypted by an Elasticsearch Cloud key.
Bring Your Own Key Management System (BYOKMS) for Archive
Encrypting your AWS S3 bucket with AWS Key Management Service (KMS) gives you complete control over the key used for encryption. With AWS KMS, your data is stored in a dedicated S3 bucket, encrypted by your key, and only you can manage the key.
Archive Console Roles-Based Access Control (RBAC)
Enterprise organizations with multiple orgs can assign specific roles and access levels to a variety of businesses with the Role-Based Access Control (RBAC) feature in the Archive Console. This functionality establishes controlled data visibility and user operations.

Console Services Table

Label	Meaning
Provider	Salesforce
Type	`Sandbox` or `Production`
Service Name	Name given to Archive Service
Service ID	Your Salesforce domain
Domain	Archive Domain Name
Region	See Own Regions and IP Addresses for Allowlisting.
Business Unit	See Manage Business Units.
Plan Status	`Active`, `Inactive`, `POC`, or `Deleted`
BYOK	`Enabled`, `Disabled`, `Rotating Key`, or `In Progress`
Version	Archive-managed package installed

To access menu options, click the 3 dots to the far right side of the page.

Menu options include:

Edit: Change the Service name or description.
Import Policies
Duplicated Record IDs: Access a list of duplicate record IDs for records that exist both in Salesforce and in Archive.
Add/Remove Services

To drill down, click the Service name, or click one of the health widgets.

For more information, see Archive Console Dashboard.

Archive Console Mapping Regions

The connections between your Platform Region, Archive Console, and the Archive managed package.

Note This content relates to Archive. For Salesforce Archive, see Store Data Externally with Salesforce Archive.

Platform/Archive Console Region	Archive Package App Server
`app1`	`app1`
`au1`	`au1`
`au4`	`au4`
`ca1`	`ca1`
`ca4`	`ca4`
`emea1`	`emea1`
`emea2`	`emea1`
`emea4`	`emea4`
`hipaa1`	`hipaa1`
`hipaa4`	`hipaa4`
`hippa1`	`hippa1`
`sg1`	`sg1`
`uk1`	`uk1`
`us-east2`	`app1`
`usgov2`	`usgov2`

Add and Manage Archive Console Services

Add new and existing services to the Archive Console in the Archive managed package, and edit and remove them if required.

Note This content relates to Archive. For Salesforce Archive, see Store Data Externally with Salesforce Archive.

Add a New Service

You can manually add a new service to the Archive Console if your service is in the same region, and the service has a package installed. Only the Main Admin and Admin can add a new service.

Note The Admin responsible for a specific Business Unit (BU) must first have a service assigned to a BU.

Go to the Archive tab.
Click New Archive Service.
The Add Service window opens.
Select the Add New Service tile.
Enter the name of the service.
From the Org Type downdown list, select Sandbox or Production.
From the Region dropdown list, select a region.
Click Authenticate.
The Salesforce login page appears.
Select a username, and sign in to your Salesforce instance.
Click Allow.
When your Salesforce instance is connected to the Archive Console, you're redirected to the Archive tab.

Note The instance must have a package installed, and be connected to the same region. An error message is displayed if you don't have the correct permissions for the BU.

Add an Existing Service

In the Archive Console, you can align your services that have an onboarded package and are defined in Recover, with your Archive services.

Go to the Archive tab.
Click New Archive Service.
The Add Service window opens.
Select the checkbox for the orgs you want to add.
If you hover over the service name, you can view the org ID.
Click Add.
A success message appears:

The page automatically refreshes, and the orgs appear in the list as follows:

Manage Services in the Archive Console

Services onboarded to the Archive Console can be removed or edited.

Edit an Archive Service

Click the More Actions (three dots) menu.
Select Edit.
Enter the new details.
Click Save.

Remove an Archive Service

Click the More Actions (three dots) menu.
Select Remove.

Note This only removes the instance from the list. It doesn't remove the installed package. Any instances related to Bring Your Own Key (BYOK) can't be removed unless you delete the BYOK from that specific service.

Note You can't currently import policies among services that have Package #21 installed.

Archive Console Dashboard Overview

Archive Console dashboard gives you an immediate overview of the health of your organization in terms of data trends in the Archive managed package. Let's examine the data displayed in the dashboard.

Note This content relates to Archive. For Salesforce Archive, see Store Data Externally with Salesforce Archive.

Navigation

Click the down arrow to toggle between organizations.

Left-Side Navigation Bar

The left-side navigation bar shows access to:

Overview (Current Tab)
Policies Tab
Activities Tab

Top-Row Elements

Health—Salesforce Data storage, Salesforce File storage, Archived Records and API usage are all monitored.
The color that's displayed in the Overall Health column indicates your org's health level.
- Green—All indicators are positive or neutral, which is a high level of health.
- Yellow—Any two indicators, such SF Data Storage and SF File Storage, are red, which is a medium level of health.
- Red—Three or more indicators are red, which is a poor level of health.
Archived Records—Number of records archived over the last 30 days.
Click to view the archiving trend in detail.
SF Data Storage—Current data storage status of your instance.
SF File Storage—Current data file status of your instance.
API Usage—Number of API calls over the last 30 days.

Middle Row Elements

Data Storage Usage—Overview of Salesforce and Archive records, including objects such as Accounts, Contacts, Opportunities, Cases, and custom objects.
Blue data represents data in Salesforce, while green data represents records stored in Archive.
The display is available on a weekly, monthly and quarterly view.
File Storage Usage—Overview of Salesforce and Archive files and attachments such as documents, images, spreadsheets, presentations, and other file types.
Purple data represents files in Salesforce. Green data represents files stored in Archive.
The display is available on a weekly, monthly and quarterly view.

Bottom Row Elements

Total Archive Searches (last 30 days)—This data provides insights into the number of Admin-performed searches via Archive Search.

Total Widget Searches (last 30 days)—This data provides insights into the number of end-user-performed searches via Archive Widget.

Archive Console Activities Tab

Set up a customized view of the fields displayed in the Activities log in the Archive managed package.

Note This content relates to Archive. For Salesforce Archive, see Store Data Externally with Salesforce Archive.

Most Archive activities are displayed under the Activities tab.

Note The Storage Analyzer activity is available for review and analysis under the Activities tab from the Archived Package only.

From the left-side navigation bar, the total number of activities performed and a checkmark reflecting the status of the latest activity is displayed.

Go to the Activities tab. The main page displays the latest activities in these tables.

Activity Statuses
Icon	Meaning
	Activity failed.
	Activity in process.
	Activity partially successful.
	Activity pending.
	Activity successful.

Activity Actions
Action Name	Icon	Meaning
Archive		Data archived.
Export		Data exported as a CSV file.
Purge		Data that was purged via the purge policy. A scheduled purge policy with zero results don't appear in the Activities Log.
Purge by Retention		Data that was purged via the retention period defined in the Archive policy.
Right To Be Forgotten (RTBF)		Data removed as RTBF. This action is only reported in Archive Console and not via the Archive managed package.
Unarchive		Data manually unarchived.
Unarchive SDK		Data that was programmatically removed via the SDK.

Activities—Default Fields
Name	Meaning
Action	See Activity Actions for icon definitions.
API Usage	Number of API calls required for this activity.
End Date	A live update on the activity status. When completed, end time and date of activity are displayed.
Policy Name	The name given when creating the policy.
Primary Records	Total number of root records processed.
Records Failed	Total number of root records that failed to be processed.
sObject	The standard or custom objects storing record data according to the policy. Unarchive and Export actions are shown as N/A.
Start Date (UTC)	Start time and date of activity.
Status	See Activity Status for icon definitions.
Total Records Attempted	The number of root and children records included in the action.

To customize the displayed fields in the Activities log:

Click Display Settings.
From the Display Settings, select the fields you want to add.

Note You must select at least one field to be displayed.

When applicable, the More Actions (three dots) menu to the far-right side of the screen gives access to these additional options.

Option	Definition
Abort	End a process when the activity is incomplete. For more information, see Abort an Archive Operation.
Unarchive	Revert a completed Archive operation and restore the records back into Salesforce.
View Failed Log	This report is delivered only in the event of records failing to be processed. Review the report to identify specific records and take remediation steps.
View Full Log	This report shows all records that the activity attempted to process, whether the execution fails or succeeds.

Archive Console Policies Tab

The Policy tab shows existing archive and purge policies defined from Archive Console in the Archive managed package. You can edit, view, search, run, disable, and delete an active Archive policy from here.

Note This content relates to Archive. For Salesforce Archive, see Store Data Externally with Salesforce Archive.

Note When a policy has been created or edited from Archive Console, it can't be opened for viewing or editing from the Archive package. The Run Now feature is available for both Archive Console and the Archive package.

Policy Table Default Fields
Field Name	Description
Active	Status of `Active` or `Inactive`.
Policy ID	Unique identifier of Archive policy.
Policy Name	Name of Archive policy.
Policy Type	Archive or Purge
Query	SOQL created for the Archive policy.
Schedule Frequency	`Daily`, `Weekly`, or `Monthly`
Scheduled On	Scheduled day that Archive policy is set to run.
Scheduled Time UTC	Scheduled time that Archive policy is set to run.
sObject	Root object selected

Customize Policy Table Fields

Note Available for services from Archive Package 16 and later.

To set up your view of the Policy table fields:

Click Display Settings.

Add as many fields as you need from the Available Fields column to the Selected Fields column on the right.

Use the up and down arrows to prioritize your display settings.

Field Name	Description
Active	Indicates where Archive policy is active. Valid values are `yes` or `no`.
Boost	Indicates whether Boosting is enabled on Archive policy. Valid values are `yes` or `no`.
Content Document	Indicates whether Archive with Content Document feature is checked. Valid values are `yes` or `no`.
Content Document Filter	sObject used to filter Content Document archiving.
Created By	ID of user who created Archive policy.
Description	Description of Archive policy.
Frequency	How often the archive or purge process runs. Valid values are `Daily`, `Weekly`, or `Monthly`.
Hot Data Threshold	Specific hot data specified in Archive policy. This field is empty if system settings are used.
Last Modified By	In Archive Console, email of user who last updated the Archive policy. In Archive Console before August 2024, Archive Console User ID. In the Archive package, Salesforce User ID.
Last Modify Date	Time and date when Archive policy was last modified.
Limit	Number of records limited per execution in Archive policy.
Local Hot Data Used	Indicates whether or not hot data is present. Valid values are `yes` or `no`.
Policy Name	Name of Archive policy.
Policy Type (Record Type)	Archive or Purge
Query	SOQL created for Archive policy.
RecordID	Salesforce Record ID of Archive policy.
Retention Source	Archive Date, Created Date, or Updated Date
Retention Years	Number of years to retain data.
Retention Months	Number of months to retain data.
Scheduled Day (Scheduled On)	Date when Archive policy is scheduled to run. Valid values are the day of the week or the day of the month. If there's no scheduled date, this field remains empty.
Scheduled Time	Time when Archive policy runs.
sObject Name	Root object selected.
Soft Deleted	Indicates where Archive policy soft deleted. Valid values are `yes` or `no`.

Note You must select at least one field.

Click Save.

Create Archive Policies from Archive Console

Archive Console offers these features for managing policies in the Archive managed package.

Note This content relates to Archive. For Salesforce Archive, see Store Data Externally with Salesforce Archive.

Key features include:

A detailed view of the direct lookup child objects associated with the sObject that are eligible for archiving with the policy.
The ability to select which objects to include in the Archive operation.
Automatic archiving of Master-Detail object relationships.
Support for AND/OR logic in the Policy Query Builder to refine archive criteria.

Note When a policy is created or modified through Archive Console, the policy can't be edited from the Archive package.

To create a new policy, click New Policy from the Policies tab.
The main screen shows the Policy Builder.

By default, policies created from Archive Console open in Multi Level archiving mode. Switch to Single Level or All according to your archiving needs. For more information, see Schema of Related Child Objects.
Complete these fields.
- Description—Include a policy description. This field is optional.
- Enabled/Disabled—Only a policy set to Enabled can be run from Archive Console. The default value is Enabled.
- Policy Name—Enter an identifiable name. For example, Inactive Cases Opened 2 Years Ago. This field is mandatory.
- Schedule Policy (UTC)—Schedule the frequency of the policy to run daily, weekly, or monthly. This field is mandatory.
  - For Day, select the hour from the dropdown list.
  - For Week, select the day of the week (Sunday–Saturday) and the hour.
  - For Month, select the day of the month and the hour. You can also select the policy to run on the last day of the month.

Object Selection and Preview

After selecting an Object from the dropdown list, the right-hand side of the screen displays the Preview option, along with a schema of related lookup child objects, if any relationships exist.

Select a root (sObject) from the dropdown list.
Objects are searchable by API or Table name. The objects on the list are root objects available for deletion from your org. For an object to be archived as a root object, these calls must be supported.
- create()
- delete()
- describeSObject()
- query()
- update()
Any object in your environment that doesn't support all required API calls aren't available in the Archive Object list when creating a policy.
In the Limit field, specify up to two million records to archive. The default value is 10.
To archive more than two million root records daily, create multiple policies with the same SOQL query and schedule them at different times. While each policy is limited to two million root records, the total number of archived records can exceed this due to lookup child records.
Make sure policies with overlapping SOQL queries or date ranges run at different times.
Enable Boost to archive up to two million records. For more details, see the Boost section in Advanced Settings.
To clear all existing builder content and enable query output for direct editing, switch to Manual mode. Then you can define a custom set of conditions for generating your query using combinations of AND/OR rules.
Note Switching from Manual mode back to Builder mode reverts the query output to this default format.
SELECT Id FROM Sobject LIMIT X
To open the field dropdown list and select the desired object, click + Add Filter. Additional filtering options become available when selecting a date field type object, such as CreatedDate or LastModifiedDate.

Choose the value to filter by from the Value dropdown list. Click the + icon to add an AND filter. Click + Add OR to include an OR filter.
To create complex queries tailored to your needs, manually create a SOQL Query. You can construct a query to archive records based on criteria from the root object.
For example, to archive all tasks where the parent cases have a status of Closed, use a query structured to include these conditions.
```
SELECT Id FROM Task WHERE WhatId IN (SELECT Id FROM Case 
WHERE status ='On Hold') LIMIT 10
```
This query can be applied to all objects.
To archive a ContentDocument, use one of these methods.
- Archive the ContentDocument as a root object by selecting ContentDocument from the Archive sObject dropdown list.
- Archive the root record and its related ContentDocuments by selecting the root sObject from the dropdown list. The dynamic wizard displays a checkbox for archiving related ContentDocuments. Click the Include Content Documents checkbox.
This action triggers a warning, prompting you to review and approve the operation before proceeding.
To expand the schema selection of related lookup child objects, click the expand icon.
Select descendant objects of a lookup by clicking the expand icon next to each item.
A blue checkmark indicates selection.
To expand the hierarchy and view additional child objects, click the expand icon.
Note Selecting a lookup doesn't automatically check all underlying children. Each lookup child must be selected individually.
Lookup objects can be selected. However, master-detail and restricted lookups are indicated by a locked icon and can't be selected. You can still click to view and select lookup objects in their hierarchy.
- The policy is to archive the root record and all selected lookup relations across all levels.
- If a lookup object is selected and its root object is later unselected during editing, the lookup object is excluded to prevent orphan records.
- Allow up to 48 hours for any changes to objects, fields, or lookups to be fully processed and visible across all related applications.
  Note sObject types often appear multiple times in a schema diagram due to complex relationship structures and are marked with the icon. When an object type is repeated, all instances of that object and associated relationships are treated identically, following the same archiving criteria. For example, when Cases is checked in any part of the hierarchy, all reoccurrences are automatically checked throughout the tree.
  To prevent infinite loops, lookup objects under the same object type become leaf nodes without direct lookup objects. Therefore, lower occurrences of the same object type can't be drilled down. This object type is a recurrence of its ancestor.
  To verify that certain master-detail objects aren't omitted due to the override settings on Field Objects, History Objects, and Exclude Share, go to Archive Settings.
To archive the root object and all its descendants, select All. We strongly recommend Admins validate and approve that:
- Records underneath are archived together with the root object.
- No limitations or dependencies exist to prevent the whole object from being deleted from Archive.
For more information, see Archive Multi-Level Objects. For a list of auto-skipped objects, see Salesforce Objects Excluded from Archive.
Click Preview.
The Preview function provides a sample of 10 records based on the policy query and confirms that the policy archives the correct records. This option is available per policy and per user.
Optionally, to define the fields viewable in the preview table, click Preview Settings. Then click Save Settings & Close.
- The ID field is selected by default.
- You can search and select up to 15 relevant fields.
Note Preview settings are maintained if the same object is selected on future policies.
Click Generate Preview.

The table displays sample records with the selected columns that meet the criteria of the SOQL.

Retention Policy & Advanced Settings

In the Retention Policy section, select one of these sources from the dropdown list.

Archived Date
Created Date
Last Modified Date

Creating a retention period of zero years and zero months means data is automatically purged within 24 hours.

Note When created, you can edit the retention policy.

Consider whether you want the retention period to apply retroactively to existing archived data, or only to records archived from this point forward. Create a policy with an updated retention period to restrict the system to querying only newly archived records. Change the current retention period to impact already archived records and new ones.

Tip If you have a new retention criteria for a specific object, and you don't want previously archived records of that object impacted, stop archiving with this policy and create one with the new retention criteria.

To access Advanced Settings, click the expand icon on the right side of the screen.

Data Protected for (Days)—Set the number of days to prevent newly created records from being archived. Updated records aren't archived during this protection period, even if they match the policy criteria. The default setting is 90 days.
Click to reset the protection period to the org-wide default protection period.
Boost—Accelerate archiving throughput by running parallel activities.
You can have up to four active boosted policies. Each policy, when boosted, can perform up to eight parallel activities.
Note When you select a fifth policy, an error message indicates that you have reached the allowed limit. A disabled policy isn't included in the count.

You have multiple concurrent activities by crossing the root records threshold of 200k. From 200k to 400k, you have two concurrent activities. From 400k to 800k, you have four concurrent activities. If you have more than 800k root records, you have eight concurrent activities.
Enable Archiving of Over 800 Lookups for Each Root Record—The policy continues archiving even when Salesforce fails to delete any lookup child records. This process doesn't roll back but provides:
- A list of failed records
- The Salesforce error message explaining why each record failed
For more information, see Enable Archiving of Over 800 Lookups for Each Root Record.

To save your changes in Advanced Settings, click ones of these options.

Save—Saves your changes and displays a confirmation message while keeping you on the same page.
Save & Back—Saves your changes and returns you to the Policy table.
Save & Run Now—Confirms the changes and directs you to the Activities table for follow-up actions.

Import Service Policies to Archive Console

You can import policies from your Salesforce service to the Archive Console in the Archive managed package.

Note This content relates to Archive. For Salesforce Archive, see Store Data Externally with Salesforce Archive.

You must have the Archive Admin permission set for the organization you're importing to.

To import policies:

Go to the Services page.
Click the three dots next to the desired service and select Import Policies.
The Import Policies window opens.

Note Policies can only be imported between instances running the same package version.
Purge policies can't be imported.
By default, policies with boosting enabled are imported without boosting. To re-enable boosting, edit the policy after import and manually re-enable the boost.
Each policy import requires a unique combination of Org ID, Policy Name, and sObject. This applies even to previously deleted policies.
Refreshing a Salesforce org generates a new Org ID, breaking the connection to the Archive server. This causes imports to fail. The old org entry in the Archive Console doesn't reactivate. To continue, add the refreshed org as a new connection and remove the old entry.
From the Import From dropdown menu, select the organization from which you want to import policies.
Policies from the selected org populates the table.
Select the policies you want to import. You can also use the search bar to find specific policies.

Note Optionally, check the box for Set all policies to inactive if you want to import the policies as inactive.
Click Import to initiate the process.
When the process is complete, a confirmation message displays a status report of the imported policies.

View Imported Policies

You can view the policies that were imported into the target Salesforce org by following these steps.

Select the org that you imported the policies to.
Go to the Policies tab.
From the dropdown menu, select All Policies.

The imported policies are displayed in the policy table.

Manage Policies from the Archive Console

Manage Archive policy operations, including Edit, View, Preview, Run Now, Enable/Disable, Delete, and Clone from the Archive Console in the Archive managed package.

Note This content relates to Archive. For Salesforce Archive, see Store Data Externally with Salesforce Archive.

Access Policy

Edit, View, Run Now, Enable/Disable, Delete are accessed from the same menu by clicking the three dots (More Options icon) in the Policy table.

Preview is available from both the View and Edit screens of a policy.

Clone is accessed from within the View screen via the More Options icon.

Edit Policy

Modify these fields of an existing policy.

Last Modified Date as per the browser's record.
Modified By, which shows the user who last edited the policy. The Modified By user's identity consists of:
- Email of the last policy updater (Console)
- Salesforce User ID (updated from Package).
- Console User ID (updated from Console before August 2024)

After editing, choose one of these actions.

To save your changes and displays a confirmation message while keeping you on the same page, click Save.
To save your changes and returns you to the Policy table, click Save & Back.
To confirm the changes and direct you to the Activities table for follow-up actions, click Save & Run Now.

Note Policy Name and Object can't be modified after a policy is created.

View Policy

View all the fields and details of a read-only policy without making any changes.

Note From View, if edits are required, you can switch to Edit mode.

Preview Policy

To verify that a policy archived the correct records, review a sample of records based on the policy's query.

Before generating the preview, define the fields visible in the Preview table. Click Preview from the More Options icon on a policy's View or Edit screens.

Functionality:

Displays a sample of 10 records that match the policy's SOQL query.
Preview Settings configures which fields are visible in the Preview table. You can select up to 15 relevant fields, with the ID field selected by default.
Note Preview Settings are saved per user and policy.
Generate Preview views the sample records with the selected columns that meet the criteria of the policy's query.
Save Settings & Close applies these settings and maintains them for future policies using the same object.

Run Now

Execute the policy based on its predefined configurations.

Note Run Now is available only for enabled policies.

Enable/Disable Policy

Enable or disable the policy based on operational needs.

Enable: Turn on policies that are ready for use.
Disable: Temporarily deactivate policies without deleting them.

Delete Policy

Deleting a policy removes it permanently from the system. This action is irreversible.

Clone Policy

Create a copy of an existing policy. Cloning is useful for creating similar policies with slight modifications. Click Clone from the More Options icon on a policy's View screen.

Important Considerations:

Rename the cloned policy, which ensures both the sObject and Policy Name are unique.
Make sure to save the new policy.
Boost is disabled by default on cloned policies.

Archive Multi-Level Objects

Salesforce data consists of complex hierarchical relationships, where records are interdependent across multiple levels. For example, an Account has associated Contacts, which are linked to Tasks, and so forth. Hierarchies can span multiple levels, and the Archive Console in the Archive managed package supports multi-level archiving up to 10 levels deep, ensuring descendant records are archived with the root object.

Note This content relates to Archive. For Salesforce Archive, see Store Data Externally with Salesforce Archive.

This feature is available from the Archive Console's policies tab on instances with Archive Package 21 and above installed.

Create and Manage Archive Policies in the Archive Package

You can create policies in either the Archive Package or the Archive Console. The Archive Package only supports archiving single-level lookup relationships, while the Archive Console supports both single- and multi-level archiving.

When created, policies can be viewed, edited, and executed from the Console. Policies created in the Archive Package default to Single-Level archiving mode, but you can switch to Multi-Level archiving by selecting the Multi-Level tab.

Note

Policies created or edited in the Archive Console can't be edited from the Archive Package.

A policy created in the Package and then opened in the Console opens by default in the single-level tab. Switching to Multi-Level resets the query, and selected objects won't be saved.

Create and Manage Archiving Policies in the Archive Console

By default, policies created or edited in the Archive Console open in Multi-Level archiving mode. You can switch to single-level archiving or choose All depending on your requirements.

Single Level—Archives only one level down the hierarchy.
Multi Level—Allows relationship drill-down and selection up to 10 levels.
All—Archives the root object along with all related records in the hierarchy.

Note The Search feature only retrieves results from lookup fields on the first level that are currently exposed. The search results don't include hidden lookup fields further down the hierarchy.

Selecting All does not display the hierarchical structure in the schema. For more information, see Archiving All.

Archive Multi-Level Lookup Objects in the Archive Console

When creating or editing a policy in the Archive Console, a schema on the right-hand side of the screen displays the hierarchy of master-detail and lookup relationship objects for the selected sObject. You can click the first level of the hierarchy to drill down, view, and select its descendant records as needed.

Key
Icon	Meaning
	Objects with a grayed-out checkmark is auto-archived with the root object because a master-detail or restricted lookup relationship exists. To identify restricted lookups, click the Hide Master Details checkbox. This shows the first level of restricted lookups only. Restricted lookups remain in view.
	Objects available for selection
	Access to drill down. Expand the section to reveal the next level of related objects.
	Non-editable master detail-related objects and/or a restricted lookup relationship exist.
	Lookup selected

Select Multi-Level
Click the + icon next to the desired lookup child object.
- A hierarchical tree opens, displaying the first level of direct children.
- A blue checkmark indicates your selection.
Note Changes made to an object's fields may take up to 48 hours to reflect in the schema.
To expand master-detail and restricted relationships, click the > arrow icon. This action displays the child objects beneath the current level.
- Selecting a lookup applies only to the lookup itself. Children of that lookup must be selected individually.
- Master-detail and restricted lookups display a locked icon, indicating they aren't selectable. However, you can drill down to select lookup objects beneath them.
Click Save to archive the root object and the selected lookup relationships across all levels.

The policy archives the root record and all selected lookup relations across levels.

Note If a child object is selected but its parent is later unselected during editing, the child object is excluded to prevent orphan records in the system.

Important Considerations

sObject Types in Schema Diagrams: Due to complex relationships, sObject types appears multiple times in a schema diagram. All instances of an object type, along with their associated relationships, follow the same archiving criteria. For example, once Cases are selected anywhere in the hierarchy, all reoccurrences are checked throughout the tree.
Child Objects as Leaf Nodes: Child objects under the same object type become leaf nodes without direct child objects to prevent infinite loops. If the same object type appears at multiple levels, lower instances can't be drilled down. When attempting to select these, a message displays:
This object has already been selected and can't be drilled down from here. This object type is a recurrence of its ancestor.

Verify Archive Settings

Check the Archive Settings to verify that these master-detail objects aren't omitted due to override settings on:

Exclude Feed Objects
Exclude History Objects
Exclude Share Objects

All Archiving

Selecting All archives the root object, and all descendants. We strongly recommend Admins validate and approve that:

All records under the root object are archived together.
No limitations or dependencies prevent the entire object from being removed from Salesforce.

For more information, see Salesforce Objects Excluded from Archive for a list of auto-skipped objects.

View Policies

When an existing policy is opened in the Console, it is on the Single Level tab. Switch to Multi Level to drill down and continue into additional levels on selected child objects as needed.

Archive Search & Widget Search

Users can search for a root record archived with multiple levels of relationships. Click a record identified in the Search results. Click the Related tab to view related lookups and continue to drill down to levels based on the current schema structure.

Unarchive

When unarchiving a lookup relation object, begin by unarchiving the root. The lookups are returned intact, pointing to their descendant objects.

Limitations

These objects aren't currently supported.

Junction Objects are supported only on one side.
Side branches refer to lookup children that point to a different parent, which is not displayed or selectable within the hierarchical schema.

Enable Archiving of Over 800 Lookups for Each Root Record

When archiving a root record, such as an Order, Case, or custom object, that has over 800 lookup records, the Archive managed package has a dedicated setting to handle archiving and purging.

Note This content relates to Archive. For Salesforce Archive, see Store Data Externally with Salesforce Archive.

The Enable Archiving of Over 800 Lookups for Each Root Record setting determines how the system behaves when there's a risk that not all lookup records are deleted successfully. In rare instances, this can result in duplicate records, and with this setting you can decide to proceed anyway.

To turn on the Enable Archiving of Over 800 Lookups for Each Root Record setting, in the Archive Console go to the Advanced section of your Archive policy. When this setting is enabled, you can:

Archive root records with more than 800 linked lookup records.
Archive or purge up to 10,000 lookup records per job.
Continue Archive jobs even if certain lookup records fail to delete, preventing complete job blockage.

Use this setting for large root records such as Cases with many lookup record-related Emails or Tasks where there's a possibility of duplicate lookup records.

Types of Duplicates

Duplicate Lookup Record: One or more lookup records are archived but fail to be deleted.
Duplicate Root and Lookup Records: All lookup records are archived, but some aren't deleted, and the root record itself fails to be deleted.

How Bulk Deletion Works

For root records with numerous lookup records, Archive uses batch processing for deletions.

Root and Child Deletion Strategy
- Over 800 Children: The root record's deletion is processed separately from its lookup child records.
- 800 or Fewer Children: The root record and its children can be deleted in a single request.
Child Record Batching
- Up to 10,000 lookup child records can be deleted per archive job.
- The process begins by dividing the total record count into primary requests, each containing up to 1,000 record IDs.
- These children are then processed in smaller subrequests, typically in batches of up to 200 record IDs.
Deletion Logic for Requests
- Initial Request (All or None): The first batch of children is processed with an "all or none" rule (allOrNone: true). If any record in this request fails to be deleted, the entire request is rolled back, and no records in it are deleted.
Subsequent Sub-Requests:
- Later requests are typically processed with allOrNone: false. If a record fails to delete, the system skips that record and continues deleting others in the request. This is a common point where a child record is archived but not deleted, resulting in a duplicate.
Processing Order:
- Generally, lookup child records are processed first, followed by their root record.
- If a root record fails to delete after its children are successfully deleted, the root record is duplicated.

How Archive Tracks Duplicate Records

Archive automatically tracks records that were archived but not deleted from Salesforce.

Prevents Rearchiving: Makes sure that these identified records aren't rearchived in future jobs.
Visibility: Provides visibility into affected records.
Report: Offers a downloadable CSV report of these duplicates from the Activity tab in the Archive Console.

Example Scenario

Let's say you archive a Case with 1,200 related Activity records.

Archiving: All 1,200 Activities have been successfully archived.
Deletion Processing: Because the Case (root) has over 800 Activities, its deletion is handled separately from the Activities (lookup childs). The Activities are then processed for deletion in batches.
Child Duplicate Scenario: If an Activity fails to be deleted from Salesforce due to a custom validation rule, it remains in Salesforce. This can happen when:
- The Activity that fails to delete is in a later processing batch, such as a second request.
- An earlier, large batch of Activities, a first request of 1,000, was successfully archived and deleted from Salesforce without any issues.
Root Duplicate Scenario: If all Activities are archived and deleted successfully, but the Case record isn’t deleted from Salesforce later, the Case becomes a duplicate.
In both scenarios, Archive tracks the duplicate record and includes it in the downloadable report.

Best Practices

If your activity reports show skipped or failed records due to a high number of lookup child records, turn on the Enable Archiving of Over 800 Lookups for Each Root Record setting.
For root records with over 800 lookup child records, Archive separates the deletion of the root record and its children lookup records to check if the processing is reliable.
After large Archive jobs are completed, review the CSV report for any duplicate records. The CSV report can be downloaded from the Activity tab in the Archive Console.

Abort an Operation from the Archive Console

Abort a running Archive activity from the Archive Console in the Archive managed package. This process is identical for Unarchive and Export activities.

Note This content relates to Archive. For Salesforce Archive, see Store Data Externally with Salesforce Archive.

Select the activity.
Identify the activity with an In Progress status that you want to abort.
Click the More Actions (three dots) menu on the far-right side of the activity row.
Select Abort.
In the window, select the reason for aborting the operation from the dropdown list.
Click Abort to confirm your action.
A success message is displayed to indicate that the operation has been initiated.

Activity Status Descriptions

Aborted—Abort operation has completed, or operation hasn't yet started.
Aborting—Abort operation is in progress. The process can take up to 90 minutes. During this period, any ongoing bulk record processing is canceled, and the details of the abort process are logged in the CSV file.

Unarchive from the Archive Console

Restore archived records in your org by reverting a completed operation directly from the Activities log in the Archive managed package.

Locate the Archive activity.
Find the archive activity you want to unarchive in the Activities log.
Access the Action Menu.
Click the ellipsis (three dots) on the far-right side of the activity row to open the menu.
Reconfirm your action.
In the confirmation pop-up, verify that you want to proceed with the unarchive operation.
Click Unarchive.

Activity Log Update

When the operation begins, the Activities table displays a new Unarchive Records label.

Important Considerations

Unarchiving is processed in bulk. If one record fails, the entire bulk operation fails.
Alternatively, if bulk unarchiving fails or is not ideal, customers can select specific records from the Archive Search and unarchive them individually.
Unarchiving can involve a large dataset, including hundreds of thousands of records
We recommend reviewing the archive details by opening the View Full Log file before proceeding.
Note Use this feature cautiously to avoid potential system performance impacts.

For more information, refer to the Archive Package Settings for Unarchive Related References Management.

Bring Your Own Key (BYOK, BYOKMS, and BYOKV) for Archive

Understand the differences among Bring Your Own Key (BYOK), Bring Your Own Key Management Service (BYOKMS) and Bring Your Own Key Vault (BYOKV) for Archive.

Important Services with BYOK, BYOKMS, or BYOKV cannot be deleted.

Note This content relates to Archive. For Salesforce Archive, see Store Data Externally with Salesforce Archive.

For customers without BYOK, BYOKMS, or BYOKV enabled, their archived data is stored within our own AWS S3 bucket or Azure Blob Storage account. For AWS, each org has their own entity within the bucket, separated from other entities. For Azure, each org has their own container within the storage account, separated from other containers. These are encrypted with our encrypted key. Connected by an ETL pipeline is an instance of Elasticsearch. The ETL pipeline makes sure that all changes made within the S3 bucket or Blob Storage account are updated in Elasticsearch and vice versa. Within Elasticsearch, each client has their own index, connected to their entity in the S3 bucket or Blob Storage container. This Elasticsearch instance is also encrypted with our key.

To add a layer of security to your data, create your own encryption keys with Bring Your Own Key (BYOK). When you add an activated encryption key to an Archive service, your data is moved to a dedicated S3 bucket or Blob Storage account, which is encrypted at rest with the key. When the S3 bucket or Blob Storage account is created, a dedicated Elasticsearch instance is created. For AWS customers, this Elasticsearch instance is encrypted with the customer key. For Azure customers, this Elasticsearch instance is encrypted with an Elasticsearch Cloud key.

To update data from the new S3 bucket or Blob Storage account to the new Elasticsearch instance, an ETL pipeline is created. When the data is copied there, the original client entity in the S3 bucket or Blob Storage account and the original client cluster in the Elasticsearch instance are both deleted. When completed, the customer's data is only accessible with their own encryption key.

During the encryption process, Archive jobs are disabled so that there's a successful transfer of data without new data being lost or duplicated. Any searches in Archive are limited to data archived before encryption began.

Key Rotation

Customers can later archive their key and replace it with another wrapped encryption key. For customers using BYOK, when they upload a new key, the S3 bucket or Blob Storage account is redirected to the new key. For AWS customers, a new Elasticsearch is created and encrypted with the new key. The ETL pipeline is connected to the new Elasticsearch instance and updates the data in the instance. For Azure customers, a new Elasticsearch instance is created and encrypted with an Elasticsearch Cloud key.

For AWS customers using BYOKMS, rotating their key automatically redirects their S3 bucket. When rotation in Archive Console is confirmed, the new Elasticsearch instance is created. Until the rotation is confirmed in Archive Console, archiving is paused.

For Azure customers using BYOKV, rotating their key automatically redirects their Blob Storage account. The key rotation takes effect within 24 hours. Until the rotation is complete, any searches in Archive are limited to data archived before key rotation began.

Key Revocation

Active encryption keys can also be revoked, resulting in immediate inaccessibility to the underlying data.

Bring Your Own Key (BYOK)

With Bring Your Own Key (BYOK), the customer provides an encryption key to encrypt their data.

The customer is provided with our public key, which is used to wrap the customer's encryption key before uploading it. This process prevents a customer's encryption key from being exposed.

Rotating the key requires repeating the process of wrapping the customer's encryption key with our public key and uploading it.

Bring Your Own Key Management Service (BYOKMS)

With Bring Your Own Key Management Service (BYOKMS), the customer manages their keys within their own AWS Key Management Service (KMS), only providing an alias to encrypt their data. This alias is used to create a S3 bucket encrypted with the key without sending the actual key, providing access to it, or exposing it.

The customer can rotate the key in their own AWS KMS, but until the rotation is confirmed in Archive Console, the Archive service is paused and warning messages are raised in both Archive and Archive Console, prompting the user to confirm the rotation.

Warning We aren't responsible for weak keys, keys generated on a compromised machine, or keys moved through insecure media, all of which weaken the security of the stored data.

Bring Your Own Key Vault (BYOKV)

With Bring Your Own Key Vault (BYOKV), the customer manages their keys within their own Azure Key Vault (AKV). The customer installs our Enterprise application in their Azure account and assigns their AKV a role assignment to the application. The key is then used to create a Blob Storage account encrypted with the key without sending the actual key, or providing access to it, or exposing it.

Remove the BYOK Service

If a customer removes BYOK, their data is transferred back to the original S3 bucket or original Blob Storage account and Elasticsearch instance. A new entity or container is created in the original S3 bucket or original Blob Storage account, and the data from the customer dedicated bucket or storage account is copied there. An Elasticsearch index dedicated to the customer is created, and an ETL pipeline connecting it to the customer entity or container is used to transfer data from the entity to the cluster. When the procedure completes, the initial S3 bucket or Blob Storage account and Elasticsearch instance are deleted.

During the encryption removal process, Archive jobs are disabled so that there's a successful transfer of data without new data being lost or duplicated in the process. Any searches in Archive are limited to data archived before the removal process began.

Bring Your Own Key Vault (BYOKV) for Archive

Encrypting the storage account used to store your data using your Azure Key Vault (AKV) gives you sole access and management capabilities of the key used to encrypt the Azure Blob Storage account where your data is stored.

Note This content relates to Archive. For Salesforce Archive, see Store Data Externally with Salesforce Archive.

BYOKV is an enhancement to Bring Your Own Key (BYOK) activities. Your data is stored in its own dedicated Blob Storage account and encrypted with your own key. You also manage that key in your own AKV, which gives you more control.

By default, we manage the keys and secrets required to encrypt and decrypt the stored objects. If you want more control over these keys, like importing, revoking, rotating, and so on, you can set up an AKV to use under your Blob Storage account.

Install the Enterprise Application

To encrypt the storage account with an encryption key managed in your AKV, the Enterprise application must be installed in your Blob Storage account and granted a role to use the key.

Important The application ID is: 752bf77b-5820-434c-bb2b-c1043be4d995.

Run this az ad sp create command in Azure CLI.

az ad sp create --id <archive_multi_tenant_application_client_id>

Grant the Enterprise Application a Role

If you haven't created the AKV and key to use for your Archive data yet, create them now.

For more information, see Customer Creates a Key Vault in the Azure documentation.

Select the AKV you intend to use.
Click Access Control (IAM).
Go to the Role Assignments tab.
Click Add.
Select Key Vault Crypto Service Encryption User from the list of Job function roles.
Click Next.
Click Select Members.
In the Select search field, search for and click Own Enterprise application.

It appears in the Selected Members area beneath the search field.
Click Select.

It appears in the Members list.
Click Review + assign.

Create an AKV and Key

To create an AKV, log into your Blob Storage account and go to Key Vaults.
Click Create.
Complete the project details. Select a region that's not correlated to the region of your Own account.

Note When creating your KV, you must turn on the Purge Protection setting.
To create a key, on the Key Vault properties page, select Keys.
Select Generate/Import.
On the Create a Key screen, specify a name for the key.

Set Up Key Rotation for BYOKV

Automate the key rotation process with Azure. We recommend applying their default settings.

Go to Set Key Rotation Policy > Not configured from the Create a Key menu.
In the Rotation policy, click Enable Auto Rotation.
Select Automatically Renew at a Given Time After Creation.

The default rotation time is set to 18 months.

Warning After key rotation, if required, wait at least 24 hours before deleting or disabling the previous key.

Enable BYOKV in Archive Console

Go to the Archive tab.
Click Bring Your Own Key.

If you can't see the Bring Your Own Key button, contact Support to turn on this feature.
Enter the Key Identifier of your key.

Archive doesn't make use of the version.
Click Activate.
If the key is verified, the status changes to In Progress. When completed, the status changes to Active.

If you can't see the updated status, refresh the browser and reopen the Bring Your Own Key page.

If the key verification fails, an error message appears.
Click Close.

If the Bring Your Own Key window was open when the activation of the key was completed, you must refresh the Archive Console. If the region is activated and the service is still missing, refresh the Archive Console window.

Add or Remove Services from BYOKV

When a region is set up to use BYOK, BYOKMS, or BYOKV, you can add the different services that are available in the Archive Console to the new encrypted region, if these services are assigned to that region. Adding a service moves all the archived data of that service from the general Archive S3 bucket to your dedicated S3 bucket, which is encrypted with your private keys.

This process can be lengthy, depending on the number of records to be moved. It can take anywhere from several hours to several days. There can be interruptions to the search quality during this time, so select the right time for your org to switch services. You can experience errors in Archive during this period.

Click the Action menu (three dots) next to the service name.
Select Add to BYOK.
Click Enable.
The service's status changes to In Progress. When completed, the service's status changes to Active.

To remove a service, click the Action menu (three dots) next to the service and select Remove from BYOK.

To remove a region from BYOK, contact Support for assistance.

Note This process removes a service from your BYOK region only, and can be lengthy, depending on the amount of archived records associated with the specific service. You can experience interruptions to the search quality during this time.

Swap from BYOKV to BYOK

If you decide that Bring Your Own Key is a more fitting solution, you can swap to it.

Note Once the switch is confirmed, it cannot be canceled. You will only be able to switch back to BYOKV once the switch to BYOK is complete.

Go to the Services page.
Click Manage BYOK.
Click Switch.
Click Switch.
The switch will only happen after you rotate your key.
Click Download Public Key.
Run the Mac or Linux sample script to generate a file with the encryption key wrapped by the public key.
Under Encrypted Passphrase, click Browse.
Select the encrypted passphrase.
Under Private Key PKCS12 Archive, click Browse.
Select the generated private key file wrapped in the public key.
Click Activate.

Your encryption method will be updated to BYOK and your data is encrypted with the uploaded private key.

Bring Your Own Key (BYOK) for Archive (AWS)

To add a layer of security to your data, create your own encryption keys with Bring Your Own Key (BYOK). When you add an activated encryption key to an Archive service, your data is moved to a dedicated AWS S3 bucket, which is encrypted at rest with the key. When AWS customers create the S3 bucket, a dedicated Elasticsearch instance is created and then encrypted with the customer key.

Note This content relates to Archive. For Salesforce Archive, see Store Data Externally with Salesforce Archive.

Set Up BYOK

Click Manage BYOK.
The Manage BYOK page is displayed.
To expand the activation section, click the arrow next to the Hosting Region.
Click Download Public Key.
To generate a binary file with the generated encryption key wrapped by our public key, run the Linux or Mac sample script.
In the Wrapped Encryption Key section, click Browse....
Select the generated binary file to upload.
Click Activate.

When the key is verified, the status changes to In Progress. When completed, the status changes to Active.

Note If the key verification fails, this error message is displayed:
Something went wrong while trying to encrypt your data. Please try to add a new key.
Click Close.

Add or Remove Services from BYOK

After activating BYOK for a region, you can add services to your encrypted region. All archived data associated with those services is moved from the general Archive S3 bucket to your encrypted S3 bucket.

To add a service to BYOK:

Click the Action menu (three dots) next to the service name.
Select Add to BYOK.
Click Enable.
The service's status changes to In Progress during the migration. When completed, the service's status changes to Active.

To remove a service, click the Action menu (three dots) next to the service and select Remove from BYOK.

To remove a region from BYOK, contact Support for assistance.

Note This process can be lengthy, depending on the number of records to be moved. It can take anywhere from several hours to several days. There can be interruptions to the search quality during this time, so select the right time for your org to switch services. You can experience errors in Archive during this period.

Rotate an Encryption Key

To rotate your encryption key:

Click Bring Your Own Key.
Click the arrow next to the region with the key you want to rotate.
Click Download Public Key.
To generate a binary file with the generated encryption key wrapped by the public key, run the Linux or Mac sample script.
In the Wrapped Encryption Key section, click Browse....
Select the file to upload the generated binary file.
Click Rotate.

If the key is verified, the status changes to Key Rotating. When completed, the status changes to Active.
Click Close.

On the Archive Service page, any services encrypted with the key show the Key Rotating status in the BYOK column. When the rotation is complete, the status changes to Enabled.

Generate Your Own Key in Windows

If you plan to generate the key on a Windows-based machine:

Download Git for Windows.
Install Git on Windows using the installation wizard.

The instillation wizard is long. Choose the default in all of the steps.

The most important one is selecting the OpenSSL library.
When GIT is installed, open the Git Bash application.
Within Git Bash, follow the instructions for Linux featured on this page.
Go to the directory where the two downloaded files, the sample script and the relevant public key, are located.
In Git Bash, run this script.
```
./archive-secretgen-linux.sh PublicKey.der
```
Note The script must have a ./ before the archive-secretgen-linux.sh script and PublicKey.der public key target.

Generate Your Own Key in Linux or Mac

If you plan to generate the key on a Linux or Mac operating system:

Select Download Public Key.
To generate the required information, download and run a Linux or MacOS sample script.

Change the script file to be executable.

For Linux:

chmod +x archive-secretgen-linux.sh

For Mac:

chmod +x archive-secretgen-macos.sh

To create the wrapped encryption key, run one of the Scripts as sudo.
For Linux:
```
./archive-secretgen-linux.sh PublicKey.der
```
For Mac:
```
./archive-secretgen-macos.sh PublicKey.der
```
A new file containing the wrapped encryption key is created.
```
encrypted_secret.bin
```
Upload the generated file and click Browse.
Click Activate.

Revoke an Active Encryption Key

When revoking an active encryption key, all access to data is blocked within 15 minutes.

Warning When you revoke the key, Archive no longer runs, and you can't access your archived data. The Archive package assigned to your account is deactivated.

Log in to your Own account as the account owner.
Click Manage BYOK.
The Manage BYOK window shows your connected services per region and their status. The key you want to revoke has an Active status.
Click Revoke.
A warning is displayed, asking you to confirm the revoke action.
Enter the word "Revoke" (not case-sensitive) in the space provided.
Confirm the revocation by clicking Revoke.

The Manage BYOK window shows the region as Revoked.

Swap from BYOK to BYOKMS

If you decide that Bring Your Own Key Management System is a more fitting solution, you can swap to it.

Note

Make sure you have your KMS’s alias ARN before starting the switch process.
Once the switch is confirmed, it cannot be canceled. You will only be able to switch back to BYOK once the switch to BYOKMS is complete.

Go to the Services page.
Click Manage BYOK.
Click Switch.
Click Switch.
The switch will only happen after you rotate to your key management system.
Select the appropriate region from the dropdown list.
Enter the KMS Alias you created in AWS.
Click Rotate.

Your encryption method will be updated to BYOK and your data is encrypted with the uploaded key.

Bring Your Own Key (BYOK) for Archive (Azure)

To add a layer of security to your data, create your own encryption keys with Bring Your Own Key (BYOK). When you add an activated encryption key to an Archive service, your data is moved to a dedicated Azure Blob Storage account, which is encrypted at rest with the key. When Azure customers create the Blob Storage account, a dedicated Elasticsearch instance is created and then encrypted by an Elasticsearch Cloud key.

Note This content relates to Archive. For Salesforce Archive, see Store Data Externally with Salesforce Archive.

To update data from the new Blob Storage account to the new Elasticsearch instance, an ETL pipeline is created. When the data is copied over, the original client entity in the Blob Storage account and the original client index in our Elasticsearch instance are both deleted. When completed, the customer’s data is officially only accessible with their own encryption key.

Note

Azure scripts generate two files for uploading as a private key in this process.

Set Up BYOK

Go to the Services page.
Click Manage BYOK.
Click Download Public Key.
Under Encrypted Passphrase, click Browse.
Select the encrypted passphrase.
Under Private Key PKCS12 Archive, click Browse.
Select the generated private key file wrapped in the public key.
Click Activate.
If the key is verified, the status changes to In Progress. When completed, the status changes to Active.

Note This process can take 40-60 minutes to complete. If you don't see the updated status, refresh the browser and reopen the Bring Your Own Key page.
Note If the key verification fails, one of these error messages is displayed.

No RSA private key found in the PKCS12 archive.

The RSA private key is too short, must be at least 2048 bits.

Failed to unwrap the passphrase, please verify that it was wrapped correctly.

Failed to extract the private key from the PKCS12 archive, please verify that the archive is valid and that the passphrase is correct.
Click Close.

To remove a region from your BYOK, contact Support.

You can remove the BYOK service from your region and migrate data back to the Archive S3 bucket.

Add or Remove Services from BYOK

After activating BYOK for a region, you can migrate services to your encrypted region. All archived data associated with those services move from the general Archive S3 bucket to your encrypted bucket.

Click the Action menu (three dots) next to the service name.
Select Add to BYOK.
Click Enable.
The service's status changes to In Progress during the migration. When completed, the service's status changes to Active.

To remove a service, click the Action menu (three dots) next to the service and select Remove from BYOK.

To remove a region from BYOK, contact Support for assistance.

Note This process can be lengthy, depending on the number of records to be moved. There can be interruptions to the search quality during this time, so select the right time for your org to switch services. You can experience errors in Archive during this period.

Rotate an Encryption Key for Azure

When rotating a key, all services under BYOK are automatically rotated. Key rotation is fast as there's no need for re-encrypting of the Elasticsearch key. The rotation takes effect seamlessly and instantaneously.

While automatic and instantaneous on our side, this process can take up to 24 hours to complete in Azure. Your information hasn't been moved. Only the encryption key has been updated. The old key is still valid until the process has finished.

Click Bring Your Own Key.
Click the arrow next to the region with the key you want to rotate.
Click Download Public Key.
Run the Mac or Linux sample script to generate a file with the encryption key wrapped by the public key.
In the Encrypted Passphrase section, click Browse and select the file to upload.
In the Private Key PKCS12 Archive section, click Browse and select the file to upload.
Click Rotate.
If the key is verified, the status changes to In Progress. When completed, the status changes to Active.

If you can't see the updated status, refresh the browser and reopen the Bring Your Own Key page.
The Created On value is updated with the date and time the key was activated.
Click Close.

Any services encrypted with the key on the Archive Service page shows the Key Rotating status in the BYOK column. When the rotation is complete, the status changes to Enabled.

Generate Your Own Key in Windows

In Azure, you must generate an asymmetric key, which consists of two files: one to lock or encrypt the records, and one to unlock or decrypt the cipher text. If you plan to generate the key on a Windows-based machine:

Download Git for Windows.
Install Git on Windows using the installation wizard.

The installation wizard is long. Choose the default in all of the steps.

The most important one is selecting the OpenSSL library.
When Git is installed, open the Git Bash application.
Within Git Bash, follow the instructions for Linux featured on this page.
Go to the directory where the two downloaded files, the sample script and the relevant public key, are located.
In Git Bash, run this script.
```
./archive-secretgen-linux.sh PublicKey.der
```
Note The script must have a ./ before the archive-secretgen-linux.sh script and PublicKey.der public key target.

Generate Your Own Key in Linux or Mac

If you plan to generate the key on a Linux or Mac operating system:

Click Download Public Key.
To generate the required information, download and run a Linux or MacOS sample script.

Alternatively, if you have your own process for creating a private key, generate it and then wrap it in our key.
Change the script file to be executable.
```
chmod +x archive-secretgen-macos-az.sh
```

To create the wrapped encryption key, run one of the Scripts as sudo.

For Linux:

./archive-secretgen-linux-az.sh PublicKey.der

For Mac:

./archive-secretgen-macos-az.sh PublicKey.der

Two new files containing the wrapped encryption key and passphrase are created.

Encrypted Passphrase: encrypted_secret.bin
Private Key PKCS12 Archiver: encrypted_secret.p12

Upload the generated files and click Browse.
Click Activate.

Revoke an Active Encryption Key

When revoking an active encryption key, all access to data is blocked within 15 minutes.

Warning When you revoke the key, Archive no longer runs, and you can't access your archived data. The Archive package assigned to your account is deactivated.

Log in to your Own account as the account owner.
Click Manage BYOK.
The Manage BYOK window shows your connected services per region and their status. The key you want to revoke has an Active status.
Click Revoke.
A warning is displayed, asking you to confirm the revoke action.
Enter the word "Revoke" (not case-sensitive) in the space provided.
Confirm the revocation by clicking Revoke.

The Manage BYOK window shows the region as Revoked.

Swap from BYOK to BYOKV

If you decide that Bring Your Own Key Vault is a more fitting solution, you can swap to it.

Note

Make sure you have your key vault’s key identifier before starting the switch process.
Once the switch is confirmed, it cannot be canceled. You will only be able to switch back to BYOK once the switch to BYOKV is complete.

Go to the Services Page.
Click Manage BYOK.
Click Switch.
Click Switch.
The switch will only happen after you rotate to your key vault.
Enter the Key Identifier of your key.
Click Rotate.

Your encryption method will be updated to BYOKV and your data is encrypted with the key in your key vault.

Bring Your Own Key Management System (BYOKMS) for Archive

Encrypting your AWS S3 bucket with AWS Key Management Service (KMS) gives you complete control over the key used for encryption. With AWS KMS, your data is stored in a dedicated S3 bucket, encrypted by your key, and only you can manage the key.

Note This content relates to Archive. For Salesforce Archive, see Store Data Externally with Salesforce Archive.

Backup Bucket Encryption

By default, all objects (data-at-rest) in backup S3 buckets are encrypted using server-side encryption. We typically manage the encryption keys for BYOK, but you can use your own AWS KMS if you require more control, such as importing, revoking, or rotating keys.

For detailed information about S3 and AWS KMS, see AWS KMS.

Create a Customer-Managed Key in AWS KMS

To encrypt your S3 bucket with AWS KMS, create a new Customer-Managed Key in your AWS KMS.

Go to the Key Management Service section in your AWS Console for the region that matches the app server storage region.
Create a new key and follow the onscreen instructions.
Grant administrative access to users or roles in your org according to your security policies.
To let the app access the key, add the corresponding AWS Principal ARN from the App Server Storage Region Locations table.

App Server Storage Region Locations
App Server	AWS Region	Account Numbers	AWS principal ARN
app1	us-east-1	284606693368	`arn:aws:iam::284606693368:root`
au1	ap-southeast-2	284606693368	`arn:aws:iam::284606693368:root`
ca1	ca-central-1	284606693368	`arn:aws:iam::284606693368:root`
emea1	eu-central-1	284606693368	`arn:aws:iam::284606693368:root`
emea2	eu-central-1	284606693368	`arn:aws:iam::284606693368:root`
hipaa1	us-east-1	284606693368	`arn:aws:iam::284606693368:root`
sg1	ap-southeast-1	284606693368	`arn:aws:iam::284606693368:root`
uk1	eu-west-2	284606693368	`arn:aws:iam::284606693368:root`
useast2	us-east-1	284606693368	`arn:aws:iam::284606693368:root`
usgov2	us-gov-west-1	422652744590	`arn:aws-us-gov:iam::422652744590:root`

Note Cross-region configurations between S3 and AWS KMS aren't supported. For more information, see Key Policies in AWS KMS.

Key Policy Requirements for S3 and Elasticsearch

Your key policies must meet these minimum requirements.

"Statement":[
                {
                    "Sid":"Allow use of the key",
                    "Effect":"Allow",
                    "Principal":{
                    "AWS": "<PRINCIPAL_ARN>"
                    },
                    "Action":[
                    "kms:Encrypt",
                    "kms:Decrypt",
                    "kms:ReEncrypt*",
                    "kms:GenerateDataKey*",
                    "kms:DescribeKey"
                    ],
                    "Resource":"*"
                    },
                    {
                    "Sid":"Allow attachment of persistent resources",
                    "Effect":"Allow",
                    "Principal":{
                    "AWS": "<PRINCIPAL_ARN>"
                    },
                    "Action":[
                    "kms:CreateGrant",
                    "kms:ListGrants",
                    "kms:RevokeGrant"
                    ],
                    "Resource":"*",
                    "Condition":{
                    "Bool":{
                    "kms:GrantIsForAWSResource":"true"
                    }
                }
            ]

Activate the Key in Archive Console

After you create your key, you can activate it in the Archive Console.

Open the Archive tab.
Select Bring Your Own Key.
Select the appropriate region from the dropdown list.
Enter the KMS Alias you created in AWS.
Click Activate.
When the key is verified, the status changes to Active.
If the key verification fails, you receive an error message and must review the configuration.

Add or Remove Services from BYOK

This process can be lengthy, depending on the number of records to be moved. It can take anywhere from several hours to several days. There can be interruptions to the search quality during this time, so select the right time for your organization to switch services. You can experience errors in Archive during this period.

To add a service to BYOK:

Click the Action menu (three dots) next to the service name.
Select Add to BYOK.
Click Enable.

The service's status changes to In Progress during the migration. When completed, the service's status changes to Active.

To remove a service, click the Action menu (three dots) next to the service and select Remove from BYOK.

To remove a region from BYOK, contact Support for assistance.

Rotate Keys for BYOKMS

To rotate your encryption key:

Rotate the key in AWS KMS.
For more information, see Rotate AWS KMS Keys.
In the Archive Console, go to Bring Your Own Key.
Select the region where you rotated the key.
Click Rotate.

When completed, the key status changes to Active. The services encrypted with the key are re-encrypted.

If you had the BYOK window open during activation, refresh the console to display the updated status.

Note This process can be lengthy, depending on the data volume. Until the rotation is complete, any searches in Archive are limited to data archived before key rotation began. Select the right time for your org to complete the re-encryption process.

For more information, see Bring Your Own Key (BYOK, BYOKMS, and BYOKV) for Archive.

Swap from BYOKMS to BYOK

If you decide that Bring Your Own Key is a more fitting solution, you can swap to it.

Note Once the switch is confirmed, it cannot be canceled. You will only be able to switch back to BYOKMS once the switch to BYOK is complete.

Go to the Services page.
Click Manage BYOK.
Click Switch.
Click Switch.
The switch will only happen after you rotate your key.
Click Download Public Key.
Run the Mac or Linux sample script to generate a binary file with the generated encryption key wrapped by our public key.
In the Wrapped Encryption Key section, click Browse...
Select the generated binary file to upload.
Click Activate.

Your encryption method will be updated to BYOK and your data is encrypted with the uploaded key.

Archive Console Roles-Based Access Control (RBAC)

Enterprise organizations with multiple orgs can assign specific roles and access levels to a variety of businesses with the Role-Based Access Control (RBAC) feature in the Archive Console. This functionality establishes controlled data visibility and user operations.

Note This content relates to Archive. For Salesforce Archive, see Store Data Externally with Salesforce Archive.

Additionally, any configurations set in the Recover app are automatically synchronized with the Archive Console.

The Master Admin in the Archive Console controls the permissions for Bring Your Own Key (BYOK). Additionally, the Master Admin can add any service with an onboarded package that sits in the same region as the org. This can be done even if it isn't defined in Recover and isn't connected to a Business Unit (BU). Each service can only be assigned to one BU.

Note A service added directly from the Archive Console, not from Recover, is only visible to the Master Admin.

The Master Admin must first assign a service to a BU. After the Master Admin's assignment, the Admin responsible for that BU can proceed to add and manage the service.

The Admin also includes DevOps and Developer Users, which is defined in Recover BU. The org must be defined by the Recover settings assigned to the same region, and have an onboarded package. The Admin User is able to access Account Settings, add or remove users, manage the roles each person has in the BU, and manage BU that they administer.

Read Only users are only able to view the assigned BU.

RBAC Example

There are four users: Master Admin, User 1, User 2, and User 3. In this example, there are two BUs and two services. These services have been defined by the Recover. Service 1 has been allocated to BU1 and Service 2 has been allocated to BU 2. The Master Admin is the person who assigns the Admin and Read Only permissions. The Master Admin is the only one with all privileges.

The Master Admin assigns User 1 with Admin privileges to BU 1 and Service 1. Service 1 is setup on the Recover (backup) side and is assigned to BU1. User 1 can only access BU 1 and has the ability to edit, modify and add services to Service 1. User 1 doesn't have the permission to view or access Service 2.

The Master Admin assigns User 2 with Admin privileges to BU 2 and Service 2. Service 2 is setup on the Recover side and it assigned to BU 2. User 2 can only access BU 2 and has the ability edit, modify and add services to Service 2. User 2 doesn't have the permissions to view or access Service 1.

The Master Admin assigns User 3 with Read Only permissions. User 3 is assigned to both BUs. User 3 can only view what's in each service but can't edit, modify, or add other services in Service 1 or Service 2.

For more information, see the RBAC Matrix for Console on this page.

RBAC Matrix for Console

These tables show the permissions granted for the roles of Master Admin, Admin/Devops/Dev and Read Only.

Permissions for Service Level
Action/Role	View Services	Add Service	Edit Service	Remove Service	Duplicated Record IDs
Master Admin	✓	✓	✓	✓	✓
Admin/Devops/Dev	✓	✓	✓	✓	✓
Read Only	✓	X	X	X	X

Permissions for BYOK
Action/Role	View Service in BYOK	View Region in BYOK	Move Region to BYOK	Remove Region from BYOK	Add Service to BYOK	Remove Service from BYOK	Rotate Key
Master Admin	✓	✓	✓	✓	✓	✓	✓
Admins/Devop/Dev	✓	✓	X	X	X	X	X
Read Only	X	✓	X	X	X	X	X

Only Master Admins, Admins/DevOps, and Dev users can create or modify policies. Read Only users aren't permitted to create or change any policies.

Permissions for Policies Level
Action/Role	Create Policy	Edit Policy	Delete Policy	Disable/ Enable	Run Now	View Policy	Preview Policy	Define Preview Settings	Clone Policy	Estimate Purge Policy	Define Display Settings	Export All Policies
Master Admin	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓
Admin/Devops/Dev	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓
Read Only	X	X	X	X	X	✓	✓	✓	X	✓	✓	✓

Permissions for Activities Level
Action/Role	Unarchive an Archive Activity	Abort	View & Download Logs	Define Display Settings
Master Admin	✓	✓	✓	✓
Admin/Devops/Dev	X	X	✓	✓
Read Only	X	X	✓	✓

Did this article solve your issue?

Let us know so we can improve!

Product Area

Feature Impact

Edition

Experience

View the Archive Console

Console Services Table

Archive Console Mapping Regions

Add and Manage Archive Console Services

Add a New Service

Add an Existing Service

Manage Services in the Archive Console

Edit an Archive Service

Remove an Archive Service

Archive Console Dashboard Overview

Navigation

Left-Side Navigation Bar

Top-Row Elements

Middle Row Elements

Bottom Row Elements

Archive Console Activities Tab

Archive Console Policies Tab

Customize Policy Table Fields

Create Archive Policies from Archive Console

Object Selection and Preview

Retention Policy & Advanced Settings

Import Service Policies to Archive Console

View Imported Policies

Manage Policies from the Archive Console

Access Policy

Edit Policy

View Policy

Preview Policy

Run Now

Enable/Disable Policy

Delete Policy

Clone Policy

Archive Multi-Level Objects

Create and Manage Archive Policies in the Archive Package

Create and Manage Archiving Policies in the Archive Console

Archive Multi-Level Lookup Objects in the Archive Console

Important Considerations

Verify Archive Settings

All Archiving

View Policies

Archive Search & Widget Search

Unarchive

Limitations

Enable Archiving of Over 800 Lookups for Each Root Record

Types of Duplicates

How Bulk Deletion Works

How Archive Tracks Duplicate Records

Example Scenario

Best Practices

Abort an Operation from the Archive Console

Unarchive from the Archive Console

Activity Log Update

Important Considerations

Bring Your Own Key (BYOK, BYOKMS, and BYOKV) for Archive

Key Rotation

Key Revocation

Bring Your Own Key (BYOK)

Bring Your Own Key Management Service (BYOKMS)

Bring Your Own Key Vault (BYOKV)

Remove the BYOK Service

Bring Your Own Key Vault (BYOKV) for Archive

Install the Enterprise Application

Grant the Enterprise Application a Role

Create an AKV and Key

Set Up Key Rotation for BYOKV

Enable BYOKV in Archive Console

Add or Remove Services from BYOKV

Swap from BYOKV to BYOK

Bring Your Own Key (BYOK) for Archive (AWS)

Set Up BYOK

Add or Remove Services from BYOK

Rotate an Encryption Key

Generate Your Own Key in Windows

Generate Your Own Key in Linux or Mac

Revoke an Active Encryption Key

Swap from BYOK to BYOKMS