Salesforce Security Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data’s Security with Shield Platform Encryption
What You Can Encrypt
Platform Encryption Q&A
How Encryption Works
Set Up Your Encryption Policy
Filter Encrypted Data with Deterministic Encryption
Key Management and Rotation
Work with Salesforce Key Material
Get Statistics About Your Encryption Coverage
Synchronize Your Data Encryption
Work with External Key Material
Bring Your Own Key (BYOK)
External Key Management
How Salesforce Shield EKM Works
EKM Prerequisites
Key Coordination Policy Setup
EKM Considerations
Connect Salesforce to AWS KMS and Create a Data Encryption Key
Key Maintenance and Auditing for EKM
Audit an EKM Key
Deactivate an EKM Key
Reactivate an EKM Key
Rotate an EKM Key
Check the Connection to Your EKM Key
EKM in a Sandbox Org
Cache-Only Key Service
Configure Your Cache-Only Key Callout Connection
Shield Platform Encryption Customizations
Encryption Trade-Offs
Audit and Monitor Your Organization’s Security
Real-Time Event Monitoring
Security Guidelines for Apex and Visualforce Development
API End-of-Life Policy
PDF

Rotate an EKM Key

Key rotation refers to the process of updating or changing your key material. You can edit existing key materials or replace them with new ones. If you edit or update your external key, make sure to align your external key details across both Salesforce and AWS KMS.
Available in both Lightning Experience and Salesforce Classic (not available in all orgs).
Available in: Enterprise, Performance, Unlimited, and Developer Editions. Requires purchasing Salesforce Shield or Shield Platform Encryption, and either the EKM Service or the Cache-Only Key Service.

User Permissions Needed
To generate, destroy, export, import, upload, and configure tenant secrets and customer-supplied key material: Manage Encryption Keys
Keep these considerations in mind when rotating external keys.
  • If you deactivate or destroy external keys, encrypted key material is evicted from the cache.
  • If you disable, deactivate, or delete the external key or an associated Salesforce data-encryption key, related Salesforce data encrypted with that key is no longer accessible.
  • As a best practice, rotate data encryption keys in sandboxes after a refresh. Rotation ensures that production and sandbox orgs use different data encryption keys. You can’t activate or deactivate in a sandbox an external key created in production.
  1. From Setup, in the Quick Find box, enter Platform Encryption, and then select Key Management.
  2. Click Manage External Keys.
  3. Choose to either use the latest configuration of the current key or to use a different key.
  4. Complete the steps on screen.

Store or version your old keys securely, in case you need them again someday. Communicate the change you made so others who need to know are aware.