What is an Encryption Key?

Encryption Keys are the cryptographic keys used by Platform Encryption to encrypt and decrypt protected data.

BYOK means Bring Your Own Key, where the customer manages encryption keys in their own KMS rather than letting Salesforce manage them.

What's the most security-sensitive key operation?

Destroying keys is irreversible and makes the encrypted data permanently unreadable, so it requires extreme care and approval steps.

Encryption Key

Administration🟢 Beginner

Definition

In Salesforce Shield Platform Encryption, a cryptographic key used to encrypt and decrypt protected data, managed through the key management system with options for Salesforce-managed or customer-supplied keys.

Real-World Example

At their company, a Salesforce administrator at Coastal Health leverages Encryption Key to maintain data quality and enforce organizational policies across the platform. By properly setting up Encryption Key, they prevent common data entry errors and ensure that users follow established business processes, which saves the support team hours of cleanup work each week.

Why Encryption Key Matters

An Encryption Key in Salesforce Shield Platform Encryption is the cryptographic key used to encrypt and decrypt protected data. Keys are managed through the Key Management page in Setup, where admins generate, rotate, archive, and destroy keys, or import customer-supplied keys through Bring Your Own Key (BYOK). Salesforce supports key tenant secrets and main keys that work together to encrypt data.

Key management is one of the most security-sensitive operations in a Salesforce org. Generating or rotating keys is a routine administrative task, but destroying keys is irreversible: data encrypted with a destroyed key becomes permanently unreadable. Mature organizations follow strict procedures around key lifecycle management, including backups before destructive operations, rotation schedules tied to security policies, and audit logs of key actions. BYOK gives customers complete control over key generation and storage, often required for organizations with strict compliance programs.

How Organizations Use Encryption Key

•Redwood Financial — Rotates encryption keys annually as required by their security policy. The rotation generates new active keys while keeping archived keys available for decryption.
•Coastal Health — Uses BYOK so encryption keys are generated and managed in their external KMS, satisfying their compliance requirements for customer-controlled key management.
•ShieldGuard Security — Documented their key management procedures in a runbook covering rotation, backup, and destruction with explicit approval steps for destructive operations.