Key Management and Rotation

With Shield Platform Encryption, you control and rotate the key material used to encrypt your data. You can use Salesforce to generate a tenant secret for you, which is then combined with a primary secret for each release to derive a data encryption key. This derived data encryption key is then used in encryption and decryption functions. You can also use the Bring Your Own Key (BYOK) service to upload your own key material. Or you can store your key material outside of Salesforce. Use the External Key Management Service or the Cache-Only Key Service to fetch your key material on demand.
Available in both Salesforce Classic (not available in all orgs) and Lightning Experience.
Available as an add-on subscription in: Enterprise, Performance, and Unlimited Editions. Requires purchasing Salesforce Shield or Shield Platform Encryption. Available in Developer Edition at no charge.

User Permissions Needed
To manage key material: Manage Encryption Keys

Where possible, we changed noninclusive terms to align with our company value of Equality. We maintained certain terms to avoid any effect on customer implementations.

Important

Key management begins with assigning appropriate permissions to security administrators. Assign permissions to people you trust to encrypt data, manage certificates, and work with key material. It’s a good idea to monitor these users’ key management and encryption activities with the Setup Audit Trail. Authorized developers can generate, rotate, export, destroy, reimport, and upload tenant secrets by coding a call to the TenantSecret object in the Salesforce API.