Salesforce Security Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data’s Security with Shield Platform Encryption
What You Can Encrypt
Platform Encryption Q&A
How Encryption Works
Set Up Your Encryption Policy
Filter Encrypted Data with Deterministic Encryption
Key Management and Rotation
Work with Salesforce Key Material
Get Statistics About Your Encryption Coverage
Synchronize Your Data Encryption
Work with External Key Material
Bring Your Own Key (BYOK)
External Key Management
How Salesforce Shield EKM Works
EKM Prerequisites
Key Coordination Policy Setup
EKM Considerations
Connect Salesforce to AWS KMS and Create a Data Encryption Key
Key Maintenance and Auditing for EKM
Audit an EKM Key
Deactivate an EKM Key
Reactivate an EKM Key
Rotate an EKM Key
Check the Connection to Your EKM Key
EKM in a Sandbox Org
Cache-Only Key Service
Configure Your Cache-Only Key Callout Connection
Shield Platform Encryption Customizations
Encryption Trade-Offs
Audit and Monitor Your Organization’s Security
Real-Time Event Monitoring
Security Guidelines for Apex and Visualforce Development
API End-of-Life Policy
PDF

Deactivate an EKM Key

When you want to revoke all access to encrypted data, or rotate keys as a part of planned maintenance, you can deactivate key material. The effect of deactivating key material is similar to that of deleting a key. Your data remains encrypted, but it can’t be decrypted.
Available in both Lightning Experience and Salesforce Classic (not available in all orgs).
Available in: Enterprise, Performance, Unlimited, and Developer Editions. Requires purchasing Salesforce Shield or Shield Platform Encryption, and either the EKM Service or the Cache-Only Key Service.

User Permissions Needed
To generate, destroy, export, import, upload, and configure tenant secrets and customer-supplied key material: Manage Encryption Keys
Consider the effect on your users and data of deactivating the EKM key. Data encrypted with the key isn’t decryptable. Make sure that the data you need is synchronized to a different key.
  1. From Setup, in the Quick Find box, enter Platform Encryption, and then select Key Management.
  2. In the External Key Inventory, click Details for the key you want to deactivate.
  3. In the pane that opens, review the information. Then click either Never Mind or Deactivate External Key.

Communicate with any other key managers that the key is now deactivated. Be alert for users reporting an inability to access encrypted data they could see previously.