Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
Full Key Management entry
How-to guide

How to set up Key Management in Salesforce

Key Management is the Tenant Secret rotation interface for Shield Platform Encryption — generate new keys, mark them active, archive old ones. Periodic rotation reduces blast radius if a key is compromised. The bulk of Shield admin time is here.

By Dipojjal Chakrabarti · Founder & Editor, Salesforce DictionaryLast updated Apr 20, 2026

Key Management is the Tenant Secret rotation interface for Shield Platform Encryption — generate new keys, mark them active, archive old ones. Periodic rotation reduces blast radius if a key is compromised. The bulk of Shield admin time is here.

  1. Open Setup → Key Management

    Setup gear → Quick Find: Key Management → Key Management.

  2. Review the active Tenant Secret

    Each org has one Active Tenant Secret per data type (data, search index, files). The Active key encrypts new writes; older Archived keys can still decrypt existing data.

  3. Click Generate Tenant Secret

    Salesforce generates a new key. The old key auto-archives.

  4. (For BYOK) Upload your own key

    Bring Your Own Key path: generate a key in your HSM / KMS, upload to Salesforce, and Salesforce uses it to derive the actual encryption keys.

  5. (Optional) Export the Tenant Secret

    Useful for backup / audit. Export is irreversible — once printed, the key material lives in your system too.

  6. Set rotation cadence

    No automatic rotation — admins schedule (or manually trigger) key generation. NIST recommends at least annually.

Key options
Generate Tenant Secretremember

Salesforce-managed. Quick, no DNS changes.

Upload (BYOK)remember

Bring Your Own Key. You control key custody; Salesforce uses the key but doesn't have the master copy.

Exportremember

Backup the key material to your own systems. Irreversible — once exported, you assume responsibility for security of the exported copy.

Active vs Archived keysremember

Active encrypts new data. Archived keys still decrypt existing data — don't delete them or you lose access to data encrypted with that key.

Gotchas
  • Deleting an Archived Tenant Secret destroys access to all data encrypted with that key. Salesforce keeps Archived keys forever by design. Don't try to delete unless you're certain no data references it.
  • Key rotation re-encrypts data over time via background jobs — not instantly. After generating a new key, run Setup → Encryption Statistics to monitor re-encryption progress.
  • BYOK adds significant operational complexity. Lose the key in your HSM, and your data becomes permanently unrecoverable. Most orgs use Salesforce-Managed unless compliance forces BYOK.

See the full Key Management entry

Key Management includes the definition, worked example, deep dive, related terms, and a quiz.