Rotate Your Encryption Key Material
Available in both Salesforce Classic (not available in all orgs) and Lightning Experience. |
Available as an add-on subscription in: Enterprise, Performance, and Unlimited Editions. Requires purchasing Salesforce Shield or Shield Platform Encryption. Available in Developer Edition at no charge. |
User Permissions Needed | |
---|---|
To generate, destroy, export, import, upload, and configure Shield Platform Encryption key material: | Manage Encryption Keys |
To decide how often to rotate, consult your security policies. How frequently you can rotate key material depends on the type and environment. For secrets that have restrictions, you can rotate tenant secrets one time per interval.
Key Material | Key Type | Production Environments | Sandbox Environments |
---|---|---|---|
Fields and Files (Probabilistic) | Tenant secret | 24 hours | 4 hours |
Fields (Deterministic) | Tenant secret | 7 days | 4 hours |
Analytics | Tenant secret | 24 hours | 4 hours |
Event Bus | Tenant secret | 7 days | 7 days |
Search Index | Tenant secret | 7 days | 7 days |
Search Index | DEK | 1 hour | 1 hour |
Salesforce | Root Key | No restriction | No restriction |
Salesforce (for Data Cloud data) | Root Key | 3 months | 3 months |
Key Type | Key Statuses |
---|---|
AWS Root | Active, Activation Pending, Archived, Canceled, Inactive |
Salesforce Root (for Data Cloud data) | Active, Archived |
Salesforce Root | Active, Archived, Inactive |
Search DEK | Active, Archived, Destroyed |
Tenant Secret | Active, Archived, Destroyed |
- Active
- The key can be used to encrypt and decrypt new and existing data.
- Activation Pending
- The key is generated in Salesforce but waiting for another process to complete activation.
- Archived
- The key can’t encrypt new data. It can be used to decrypt data previously encrypted with this key when it was active.
- Canceled
- The root key activation process is canceled.
- Destroyed
- The key can’t encrypt or decrypt data. Data encrypted with this key when it was active can no longer be decrypted. Files and attachments encrypted with this key can no longer be downloaded.
- Inactive
-
The root key is present but inactive, which prevents DEKs that it controls from encrypting and decrypting data.
Rotate Root Keys and Data Encryption Keys
- From Setup, in the Quick Find box, enter Key Management, and then select Key Management.
-
In the Root Key Inventory, select a root key type tab. Click Generate Root
Key, and then follow the prompts for generating a new root key.
The new root key becomes the active root key and is used to secure new DEKs. Archived root keys continue to secure older DEKs that were generated when those root keys were active.
-
In the Key Management Table, select a key type tab. If that key type supports DEKs, you
see the option to rotate the DEK. Click Generate DEK.
The new DEK becomes the active DEK. It’s secured by the active root key and encrypts new data from that time onward. Archived DEKs continue to decrypt data that they had encrypted. Archived DEKs are secured by the root key that was active when the DEK was generated.
Rotate Tenant Secrets
The key derivation function uses a primary secret (KDF seed, formerly master secret), which is rotated with each major Salesforce release. Primary secret rotation doesn’t affect your encryption keys or your encrypted data until you rotate your tenant secret.
- From Setup, in the Quick Find box, enter Platform Encryption, and then select Key Management.
- In the Key Management Table, select a key type.
- Check the status of the data type’s tenant secrets.
-
Click Generate Tenant Secret or Bring Your Own
Key. If you’re using a tenant secret of your own, upload your encrypted tenant
secret and tenant secret hash.
- If you want to re-encrypt field values with your active key material, synchronize new and existing encrypted data under your most recent and keys. You can sync data from the Encryption Statistics and Data Sync page in Setup.