What are the three statuses a Data Encryption Key can have?

Keys are Active (used for new encryption), Archived (still used for decryption but not new encryption), or Destroyed (deleted).

What happens to data encrypted with an archived key?

Archived keys remain available for decrypting existing data; they just aren't used to encrypt new data.

BYOK lets customers manage encryption keys in their own external key management system, giving them full control over the key lifecycle.

Data Encryption Keys

Administration🟡 Intermediate

Definition

Data Encryption Keys in Salesforce are the cryptographic keys used to encrypt and decrypt data protected by Platform Encryption (Salesforce Shield). Administrators manage these keys through the Key Management Setup page, where they can generate new keys, rotate (archive) existing keys, export keys for backup, and import keys. Each key has a status (Active, Archived, or Destroyed) and different key types exist for different data categories.

Real-World Example

Consider a scenario where the system admin at BrightEdge Solutions is working with Data Encryption Keys to control how users interact with Salesforce data and features. After configuring Data Encryption Keys in the sandbox and validating it with key stakeholders, they roll it out to production. User adoption improves because the interface now matches how teams actually work.

Why Data Encryption Keys Matters

Data Encryption Keys are the cryptographic keys used by Platform Encryption (Salesforce Shield) to encrypt and decrypt protected data. Admins manage these keys through the Key Management page in Setup, where they generate new keys, rotate (archive) existing keys, export keys for backup, and import keys from external key management systems. Each key has a status: Active (used for new encryption), Archived (no longer used for new encryption but still needed to decrypt existing data), or Destroyed (the key has been deleted, making encrypted data unreadable).

Key rotation is a security best practice and is often mandated by compliance frameworks. When you rotate a key, the old key becomes archived and a new key becomes active for new encryption operations. Existing data encrypted with the old key is still readable because the archived key remains available for decryption. Some organizations also use Bring Your Own Key (BYOK), where the encryption keys are generated and managed in an external key management system and imported into Salesforce, giving the customer full control over the key lifecycle. Properly managing keys is one of the most security-sensitive operations in a Salesforce org.

How Organizations Use Data Encryption Keys

•Redwood Financial — Rotates their Data Encryption Keys annually as required by their security policy. The rotation produces a fresh active key while keeping archived keys available to decrypt older data.
•Coastal Health — Uses BYOK (Bring Your Own Key) so encryption keys are managed in their external key management system. The setup gives them complete control over key lifecycle and satisfies their HIPAA compliance program.
•ShieldGuard Security — Built a runbook for key rotation and key backup procedures. The runbook includes steps for testing decryption after rotation and verifying backups before any destructive operation.