Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
Full Key Tenant Secret Rotation entry
How-to guide

Execute a Shield key rotation cycle

Executing a tenant secret rotation is a planned event. The steps below cover the full cycle from generation through Mass Encryption and post-rotation verification.

By Dipojjal Chakrabarti · Founder & Editor, Salesforce DictionaryLast updated May 19, 2026

Executing a tenant secret rotation is a planned event. The steps below cover the full cycle from generation through Mass Encryption and post-rotation verification.

  1. Confirm rotation cadence is due

    Check the security calendar. Confirm the rotation falls within the required window per your compliance policy.

  2. Notify stakeholders

    Send a short note to security and compliance teams that rotation is starting. Provide the expected timeline including the Mass Encryption window.

  3. Open Key Management

    Setup > Encryption Settings > Key Management. Confirm the current Active secret is the expected one.

  4. Generate the new tenant secret

    Click Generate Tenant Secret (or Import for BYOK, or trigger refresh for Cache-Only). The new secret activates within seconds; the previous moves to Archived.

  5. Schedule Mass Encryption

    Encryption Statistics > Encrypt Unencrypted Data (or equivalent). Schedule the job for a low-traffic window. Monitor progress; the job is asynchronous.

  6. Verify completion

    After Mass Encryption finishes, confirm the data shows 100% encrypted under the new secret in Encryption Statistics. The old secret is now ready to be destroyed if policy dictates.

  7. Document the rotation

    Setup Audit Trail > capture the rotation event. Update the rotation log with the date, executor, and verification result. Compliance audits expect this artifact.

Key options
Salesforce-Managed rotationremember

Platform generates the new secret. The simplest mode.

BYOK rotationremember

Customer generates externally and uploads. Customer retains master copy.

Cache-Only rotationremember

Customer rotates in KMS. Salesforce fetches new key on demand.

Mass Encryption jobremember

The follow-up step to re-encrypt older data. Required for full rotation effectiveness.

Archive (automatic on rotation)remember

Previous secret moves to Archived automatically when new one becomes Active.

Gotchas
  • Rotation without Mass Encryption is incomplete. Old data remains encrypted under the previous secret; the rotation has no effect for that data until Mass Encryption runs.
  • Mass Encryption is asynchronous and can take hours to days. Plan rotation timing around this window.
  • Destroying an archived secret before Mass Encryption completes can leave older data unrecoverable. Confirm encryption status before destruction.
  • Salesforce does not automate rotation. Set calendar reminders; the most common failure is missing the cadence.
  • BYOK rotation requires coordination with the customer HSM team. Schedule the operation as a planned change with both sides notified.

See the full Key Tenant Secret Rotation entry

Key Tenant Secret Rotation includes the definition, worked example, deep dive, related terms, and a quiz.