Rotate Your Encryption Key Material

You control the lifecycle of your data encryption keys by controlling the lifecycle of your key material. Salesforce recommends that you regularly generate or upload new Shield Platform Encryption key material. When you rotate a tenant secret, data encryption key (DEK), or root key, you replace it with either Salesforce-generated key material or key material that you supply.

This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?

Note

Available in both Salesforce Classic (not available in all orgs) and Lightning Experience.
Available as an add-on subscription in: Enterprise, Performance, and Unlimited Editions. Requires purchasing Salesforce Shield or Shield Platform Encryption. Available in Developer Edition at no charge.

User Permissions Needed
To generate, destroy, export, import, upload, and configure Shield Platform Encryption key material: Manage Encryption Keys

Where possible, we changed noninclusive terms to align with our company value of Equality. We maintained certain terms to avoid any effect on customer implementations.

Important

To decide how often to rotate, consult your security policies. How frequently you can rotate key material depends on the type and environment. For secrets that have restrictions, you can rotate tenant secrets one time per interval.

Table 1. Key Material Rotation Intervals
Key Material Key Type Production Environments Sandbox Environments
Fields and Files (Probabilistic) Tenant secret 24 hours 4 hours
Fields (Deterministic) Tenant secret 7 days 4 hours
Analytics Tenant secret 24 hours 4 hours
Event Bus Tenant secret 7 days 7 days
Search Index Tenant secret 7 days 7 days
Search Index DEK 1 hour 1 hour
Salesforce Root Key No restriction No restriction
Salesforce (for Data Cloud data) Root Key 3 months 3 months
Table 2. Key Material Statuses
Key Type Key Statuses
AWS Root Active, Activation Pending, Archived, Canceled, Inactive
Salesforce Root (for Data Cloud data) Active, Archived
Salesforce Root Active, Archived, Inactive
Search DEK Active, Archived, Destroyed
Tenant Secret Active, Archived, Destroyed
A key’s status means the same thing regardless of key type.
Active
The key can be used to encrypt and decrypt new and existing data.
Activation Pending
The key is generated in Salesforce but waiting for another process to complete activation.
Archived
The key can’t encrypt new data. It can be used to decrypt data previously encrypted with this key when it was active.
Canceled
The root key activation process is canceled.
Destroyed
The key can’t encrypt or decrypt data. Data encrypted with this key when it was active can no longer be decrypted. Files and attachments encrypted with this key can no longer be downloaded.
Inactive

The root key is present but inactive, which prevents DEKs that it controls from encrypting and decrypting data.

Rotate Root Keys and Data Encryption Keys

Shield Platform Encryption encrypts some data stores with key pairs composed of a root key and a data encryption key (DEK). Depending on the data store, you can rotate one or both keys in a key pair. Rotating root keys, which secure DEKs, can help you meet your compliance requirements for key handling. For data stores that allow for customer-managed DEKs, such as search indexes, you can also rotate DEKs. When you rotate a root key, the new root key becomes the active root key. Archived root keys continue to secure existing DEKs. When you rotate a DEK, it’s secured by the active root key.
  1. From Setup, in the Quick Find box, enter Key Management, and then select Key Management.
  2. In the Root Key Inventory, select a root key type tab. Click Generate Root Key, and then follow the prompts for generating a new root key.
    The new root key becomes the active root key and is used to secure new DEKs. Archived root keys continue to secure older DEKs that were generated when those root keys were active.
  3. In the Key Management Table, select a key type tab. If that key type supports DEKs, you see the option to rotate the DEK. Click Generate DEK.
    The new DEK becomes the active DEK. It’s secured by the active root key and encrypts new data from that time onward. Archived DEKs continue to decrypt data that they had encrypted. Archived DEKs are secured by the root key that was active when the DEK was generated.

Rotate Tenant Secrets

As with other key material, rotate Shield Platform Encryption tenant secrets to help you stay in alignment with your security and compliance obligations.

The key derivation function uses a primary secret (KDF seed, formerly master secret), which is rotated with each major Salesforce release. Primary secret rotation doesn’t affect your encryption keys or your encrypted data until you rotate your tenant secret.

  1. From Setup, in the Quick Find box, enter Platform Encryption, and then select Key Management.
  2. In the Key Management Table, select a key type.
  3. Check the status of the data type’s tenant secrets.
  4. Click Generate Tenant Secret or Bring Your Own Key. If you’re using a tenant secret of your own, upload your encrypted tenant secret and tenant secret hash.

    You can have up to 50 active and archived tenant secrets of each type. For example, you can have 1 active and 49 archived Fields and Files (Probabilistic) tenant secrets, and the same number of Analytics tenant secrets. This limit includes Salesforce-generated and key material that you supply.

    If you run into this limit, destroy an existing key before reactivating, rearchiving, or creating a callout to another one. Before destroying a key, synchronize the data it encrypts with an active key.

    Note

  5. If you want to re-encrypt field values with your active key material, synchronize new and existing encrypted data under your most recent and keys. You can sync data from the Encryption Statistics and Data Sync page in Setup.