Operating Tenant Secrets is a security discipline more than a configuration task. The four-step routine covers: enable Shield Platform Encryption with the right Use Cases, configure the initial Tenant Secrets, set up the rotation schedule, and operationalize backup and audit. Each piece is a security control; together they form the customer-managed key story that compliance teams expect. Skip the audit and backup steps at your peril; the operational cost is small but the compliance and recovery value is large.
- Enable Shield Platform Encryption with the right Use Cases
Shield Platform Encryption is a separate license; confirm the entitlement before starting. From Setup, search Platform Encryption, and enable the feature. Configure the Use Cases your org needs: Data (encrypted fields), Search Index (encrypted index), Analytics (encrypted datasets), Files, Chatter, etc. Each Use Case will have its own Tenant Secret. Activate only the Use Cases the org genuinely needs; activating extra ones increases the operational burden without security benefit. Document the activated Use Cases in the security runbook.
- Configure the initial Tenant Secrets
For each activated Use Case, generate the initial Tenant Secret. From Setup, Platform Encryption, Key Management, select the Use Case and click Generate Tenant Secret. The platform creates the secret and marks it Active. For BYOK customers, generate the secret in your external HSM and upload it through the same Key Management page. Confirm the secret status shows as Active. For multiple Use Cases, repeat the process for each. Document the initial generation with the user identity and timestamp.
- Set up the rotation schedule
Decide the rotation cadence per Use Case based on the regulatory and security requirements (quarterly for most general data, monthly for high-sensitivity, annually for stable archival data). Configure a calendar reminder or an automated workflow to trigger the rotation on schedule. On the rotation date, the security admin clicks Generate Tenant Secret again; the platform marks the new secret Active and the prior secret Archived. Document each rotation in the security audit log. For full re-encryption with the new secret, request the Background Encryption Service through Salesforce Customer Support.
- Operationalize backup and audit
Configure an external secure storage (HashiCorp Vault, AWS KMS, Azure Key Vault, on-premises HSM) for backing up Tenant Secrets. After each rotation, export the new Active secret to the backup store. Schedule a quarterly review of the Manage Encryption Keys permission assignment; remove any user no longer in the security role. Build a dashboard tracking Tenant Secret lifecycle events: generations, rotations, destructions. Retain the audit log for the regulatory retention period. Run an annual key management audit with the security and compliance teams to verify the operational discipline.
- Destroying a Tenant Secret is irreversible. The affected data becomes cryptographically unrecoverable, even from backups. Use only with explicit business and legal sign-off.
- Rotation does not re-encrypt existing data. New writes use the new Active secret; old data continues to use the Archived secret. For full re-encryption, request Background Encryption Service through Salesforce Customer Support.
- Shield Platform Encryption is a separate license. Confirm the entitlement before scoping any project that depends on customer-managed keys.
- The Manage Encryption Keys permission is a high-privilege grant. Audit the user list quarterly; over-broad grants expand the blast radius if a security user account is compromised.
- BYOK customers manage their own external key storage. The operational discipline (rotation, audit, backup) is heavier than the platform-generated Tenant Secret model but provides stronger compliance posture for regulated industries.