Key Management for Database Encryption

Database Encryption provides you with the ability to rotate your database tenant secret after it’s listed on the Key Management page. Deleting database tenant secrets isn’t permitted.

When you rotate your database tenant secret, all subsequent database encryption requests use the new database tenant secret to derive the per-fragment DEKs. The previous database tenant secrets are maintained for reading old data. Updates to data previously encrypted using DEKs derived with an older database tenant secret are done by using the new seed, so in a typical database, there’s a gradual migration of data encrypted with DEKs derived with the older seed to DEKs derived with the latest seed.

Along with your database tenant secret, one of the components of your final database encryption key is the salt for the database fragment or page being written. As a result, a relatively small amount of data is encrypted with an identical final database encryption key.

Currently, key rotation only affects new encryption operations. If you have a use case where you must re-encrypt your entire database, contact Salesforce support.