Salesforce Security Guide
j
No Results
Search Tips:
- Please consider misspellings
- Try different search keywords
Key Management and Rotation
With Shield Platform Encryption, you control and rotate the key material used to
encrypt your data. You can use Salesforce to generate a tenant secret for you, which is then
combined with a primary secret for each release to derive a data encryption key. This
derived data encryption key is then used in encryption and decryption functions. You can
also use the Bring Your Own Key (BYOK) service to upload your own key material. Or you can
store your key material outside of Salesforce. Use the External Key Management Service or
the Cache-Only Key Service to fetch your key material on demand.
| Available in both Salesforce Classic (not available in all orgs) and Lightning Experience. |
| Available as an add-on subscription in: Enterprise, Performance, and Unlimited Editions. Requires purchasing Salesforce Shield or Shield Platform Encryption. Available in Developer Edition at no charge. |
| User Permissions Needed | |
|---|---|
| To manage key material: | Manage Encryption Keys |
Key management begins with assigning appropriate permissions to security administrators. Assign permissions to people you trust to encrypt data, manage certificates, and work with key material. It’s a good idea to monitor these users’ key management and encryption activities with the Setup Audit Trail. Authorized developers can generate, rotate, export, destroy, reimport, and upload tenant secrets by coding a call to the TenantSecret object in the Salesforce API.