Definition
Data Encryption Keys is an administrative capability in Salesforce that gives admins control over a specific aspect of org configuration. It is part of the toolkit administrators use to keep Salesforce aligned with organizational policies and processes.
Real-World Example
Consider a scenario where the system admin at BrightEdge Solutions is working with Data Encryption Keys to control how users interact with Salesforce data and features. After configuring Data Encryption Keys in the sandbox and validating it with key stakeholders, they roll it out to production. User adoption improves because the interface now matches how teams actually work.
Why Data Encryption Keys Matters
Data Encryption Keys are the cryptographic keys that Salesforce uses to encrypt and decrypt data protected by Shield Platform Encryption. Salesforce provides a key management framework where administrators generate, activate, rotate, and archive encryption keys from within Setup. Each key is associated with a specific data type or tenant secret, and Salesforce combines the tenant secret with a per-release master secret to derive the actual encryption key. Organizations can use Salesforce-managed keys (where Salesforce controls the master secret) or bring their own key material using the Bring Your Own Key (BYOK) capability, which gives customers full control over the key lifecycle.
Key management is a critical security discipline because the encryption key is the linchpin of the entire encryption system — if keys are compromised, all encrypted data is exposed. Regular key rotation ensures that even if a key is compromised, only data encrypted during that key's active period is at risk. Salesforce supports key rotation without downtime: when a new key is activated, new data is encrypted with the new key while existing data is re-encrypted in the background. Organizations subject to compliance requirements like PCI-DSS must demonstrate active key rotation policies and document their key management procedures. BYOK is important for highly regulated industries (like banking and government) where organizational policy requires that encryption keys never be managed by a third party.
How Organizations Use Data Encryption Keys
- BrightEdge Financial — BrightEdge Financial's security team rotates their Shield Platform Encryption keys quarterly as required by their PCI-DSS compliance policy. Each rotation activates a new tenant secret while the previous key is archived. Background re-encryption processes existing records with the new key, and the security team documents each rotation event in their compliance audit log.
- Sovereign Government Agency — A Sovereign Government Agency uses the Bring Your Own Key (BYOK) feature because their data classification policy requires that encryption keys remain under government control and are never generated or managed by a cloud vendor. They generate keys using their own HSM (Hardware Security Module) and upload the key material to Salesforce Shield, retaining the ability to revoke access to their data at any time.
- MedSecure Health — MedSecure Health's admin discovered during a security review that their encryption key hadn't been rotated in 18 months, violating their HIPAA security policy. They immediately generated a new tenant secret, activated it, and initiated background re-encryption. The admin then set up a calendar reminder and documented the rotation schedule in their security operations runbook to prevent future lapses.