Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
Full Key Management entry
How-to guide

How to rotate your tenant secret

Rotating your tenant secret on a schedule is the core key-management routine. The steps below cover generating a new active secret, then re-encrypting older data so the previous secret can eventually be retired. Shield Platform Encryption must already be enabled and you need the Manage Encryption Keys permission.

By Dipojjal Chakrabarti · Founder & Editor, Salesforce DictionaryLast updated Jun 16, 2026

Rotating your tenant secret on a schedule is the core key-management routine. The steps below cover generating a new active secret, then re-encrypting older data so the previous secret can eventually be retired. Shield Platform Encryption must already be enabled and you need the Manage Encryption Keys permission.

  1. Open Key Management

    In Setup, enter Platform Encryption in the Quick Find box, then select Encryption Settings. Confirm encryption is enabled, then open the Key Management page where each key type and its current secret state are listed.

  2. Generate a new tenant secret

    Choose the key type you want to rotate, then click Generate Tenant Secret (or import your wrapped material for a BYOK org). The new secret becomes Active and the previous one moves to Archived automatically.

  3. Re-encrypt existing data

    From Encryption Settings, run the background synchronization to re-encrypt already-encrypted fields under the new active key. Monitor its status, because older data keeps resolving to the archived secret until this finishes.

  4. Back up, then retire the old secret

    Export your tenant secrets and store them safely. Once synchronization confirms no data resolves to the archived secret, you may archive or destroy it per your retention policy.

Key options
Key typeremember

Rotate the right material. Data in Salesforce, search index, analytics, and event bus can use distinct key types, each rotated on its own.

Manage Encryption Keys permissionremember

Required for every operation here. Grant it to a small named group and pair it with required multi-factor authentication for key management.

Upload cadence limitremember

Customer-supplied key material can be uploaded at most once every 24 hours in production and Developer Edition orgs, and every 4 hours in sandboxes.

Synchronization timingremember

Newly generated database key material may not be used for new derivations for up to 24 hours under the key backup policy. Plan rotation windows around it.

Gotchas
  • Rotation does not re-encrypt existing data. Without running synchronization, the previous secret stays in use indefinitely and cannot be safely destroyed.
  • Destroying a secret is permanent. Salesforce cannot recover it, and unbacked-up data under it is lost forever. Always export secrets first.
  • Archived does not mean unused. If any field still resolves to a secret, destroying it loses that field. Confirm via synchronization status before removing.
  • Over-assigning Manage Encryption Keys is the leading risk. A single compromised holder can destroy keys, so audit the permission and require MFA.

See the full Key Management entry

Key Management includes the definition, worked example, deep dive, related terms, and a quiz.