Rotating a tenant secret is a Setup operation, not a record you fill in. You generate a new secret, then synchronize existing data. Both steps require the Manage Encryption Keys permission.
- Confirm your permission
Make sure your user has the Manage Encryption Keys permission. It is granted through a permission set or profile and is distinct from the permission that selects which fields are encrypted.
- Open Key Management
In Setup, go to Encryption Settings and open the Key Management view. Choose the key type you intend to rotate, such as Data in Salesforce, the search index, Analytics, or the event bus.
- Generate the new tenant secret
Click Generate Tenant Secret. Salesforce creates the secret, sets its Status to Active, and moves the previous secret to Archived. New writes immediately use the new key material.
- Synchronize existing data
Open the encryption statistics view and start the background encryption service. It re-encrypts older records under the active secret. The job is asynchronous and is limited to once every 7 days.
Tenant secrets are scoped by what they protect: Data in Salesforce, the search index, Analytics, and the event bus each rotate independently.
Salesforce-managed orgs click Generate Tenant Secret. BYOK orgs upload externally wrapped 256-bit key material; the newest upload becomes active.
You can rotate a given key type as often as every 24 hours. Choose a policy cadence, commonly annual or quarterly, and audit against it.
- Generating a secret alone does not re-encrypt old data. Without the background encryption job, the archived secret stays in active use for its records indefinitely.
- Never destroy an archived secret while any data still depends on it. Destruction is irreversible and makes that data permanently unreadable.
- The background encryption service runs at most once every 7 days, so batch your encryption changes rather than triggering it repeatedly.
- Back up tenant secrets before rotating or destroying anything, so you retain a way to decrypt data if something goes wrong.