Salesforce Security Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data’s Security with Shield Platform Encryption
What You Can Encrypt
Platform Encryption Q&A
How Encryption Works
Terminology
Components Involved in Deriving Keys
Classic vs Platform Encryption
Key Material Storage
Shield Encryption Flow
Search Index Encryption Flow
Sandbox
Why BYOK?
Masked Data
Hyperforce
Deployment
Set Up Your Encryption Policy
Filter Encrypted Data with Deterministic Encryption
Key Management and Rotation
Shield Platform Encryption Customizations
Encryption Trade-Offs
Audit and Monitor Your Organization’s Security
Real-Time Event Monitoring
Security Guidelines for Apex and Visualforce Development
API End-of-Life Policy
PDF

How Shield Platform Encryption Works in a Sandbox

Refreshing a sandbox from a production org creates an exact copy of the production org. If Shield Platform Encryption is enabled on the production org, all encryption settings are copied to the sandbox, including tenant secrets created in production.

This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?

Note

Available in both Salesforce Classic (not available in all orgs) and Lightning Experience.
Available as an add-on subscription in: Enterprise, Performance, and Unlimited Editions. Requires purchasing Salesforce Shield or Shield Platform Encryption. Available in Developer Edition at no charge.

After a sandbox is refreshed, tenant secret changes are confined to your current org. This means that when you rotate or destroy a tenant secret on the sandbox, it doesn’t affect the production org.

As a best practice, rotate tenant secrets on sandboxes after a refresh. Rotation ensures that production and sandbox use different tenant secrets. Destroying tenant secrets on a sandbox renders encrypted data unusable in cases of partial or full copies.

If you use the External Key Management Service, there are special considerations with sandbox key rotation. See External Key Management.

Tip