The pattern: pick the key management model that matches compliance, build the operational practice (rotation, destruction, audit), document for auditors. The decision is heavy; reverse migration is operationally hard.
- Determine compliance requirements for key custody
Some regulations are satisfied by Salesforce-Generated; some require BYOK; some require Cache-Only. Compliance team confirms the requirement before Shield rollout.
- Pick the key management model
Salesforce-Generated for default Shield, BYOK for customer-master-key requirement, Cache-Only for off-platform-key requirement. The choice cascades through every subsequent step.
- Set up the customer KMS for BYOK or Cache-Only
AWS KMS, Azure Key Vault, on-prem HSM, or the Cache-Only key server. The KMS becomes part of the compliance scope; treat as production infrastructure.
- Configure Key Management in Salesforce Setup
Setup, Platform Encryption, Key Management. Generate, import, or configure Cache-Only per the chosen model.
- Encrypt the target fields and files
Setup, Platform Encryption, Encryption Policy. Pick fields and files; the encryption applies using the active key.
- Document the operational practice
Rotation schedule, destruction authorization, audit logging. The document is what compliance teams reference; build it as you configure.
- Execute the first key rotation as a dress rehearsal
Rotation is multi-week; the first execution catches operational issues before they become emergencies during compliance audit.
Salesforce-Generated, BYOK, or Cache-Only Key Service. Drives compliance positioning and operational burden.
Annually for HIPAA-grade; tunable per compliance.
Which fields and files use the keys. Limit to compliance-required.
Irreversible; gated by authorization workflow.
The customer KMS (AWS, Azure, on-prem) for BYOK/Cache-Only models.
- Destroying a key is irreversible. Data encrypted with the destroyed key becomes unrecoverable; confirm intent and document before destroy.
- Key rotation requires multi-week re-encryption of historical data. Plan as a project; the first rotation is a dress rehearsal.
- Cache-Only Key Service adds latency. Each encryption operation fetches the key; high-volume orgs feel the overhead.
- BYOK key import requires careful wrapping and transport. Mistakes in the import produce keys Salesforce cannot use; coordinate with the KMS team.
- Salesforce-Generated Keys satisfy basic Shield compliance but not customer-key-custody requirements. Confirm compliance expectations before defaulting to Salesforce-Generated.