Data Encryption Keys is the Setup page for managing per-tenant encryption keys (Tenant Secrets) used by Shield Platform Encryption. It's effectively a synonym for Key Management, but the URL and breadcrumb may differ depending on Salesforce release.
- Open Setup → Data Encryption Keys (or Key Management)
Setup gear → Quick Find: Data Encryption → Data Encryption Keys. May redirect to Key Management depending on org age.
- Review active and archived Tenant Secrets
Each Tenant Secret has a status (Active / Archived) and a creation date.
- Click Generate Tenant Secret to rotate
Salesforce generates a new Tenant Secret. The previous one auto-archives.
- For BYOK: upload your own key
Bring Your Own Key path: generate a key in your HSM/KMS, encrypt with the Salesforce-provided certificate, and upload.
- Manage destruction (rare)
Destroyed Tenant Secrets cannot decrypt past data. Don't destroy unless you're certain no data references the key.
Salesforce-Managed / BYOK.
Active (encrypts new writes) / Archived (decrypts existing data) / Destroyed (cannot decrypt).
Rotate to a new key. Auto-archives the previous Active key.
- Destroying a Tenant Secret destroys access to all data encrypted with it. Salesforce keeps Archived keys forever by design — don't destroy unless you've verified no data references the key.
- Key rotation is not automatic. Admins must manually trigger Generate Tenant Secret. NIST recommends annual rotation; some compliance regimes require more frequent.
- BYOK adds operational complexity. Lose the key in your HSM, and your data becomes permanently unrecoverable. Most orgs use Salesforce-Managed Tenant Secrets.