What is Encryption Key Management?

Encryption Key Management handles the full lifecycle of encryption keys used by Platform Encryption.

What is the difference between archiving and destroying a key?

Archived keys remain available for decryption of existing data. Destroyed keys are permanently gone and encrypted data becomes unrecoverable.

What's a best practice for key management?

Mature key management involves documented runbooks, separation of duties, and regular audit of key operations.

Encryption Key Management

Analytics🔴 Advanced

Definition

The system within Salesforce Shield Platform Encryption for generating, rotating, archiving, and destroying encryption keys, including options for customer-managed keys (Bring Your Own Key).

Real-World Example

At their company, the analytics lead at SilverLine Corp leverages Encryption Key Management to build a comprehensive view of key business metrics. With Encryption Key Management in place, stakeholders across the organization can self-serve their data needs, filtering and drilling down into the numbers without filing requests with the analytics team.

Why Encryption Key Management Matters

Encryption Key Management is the system within Salesforce Shield Platform Encryption for managing the lifecycle of encryption keys. The system supports generating new keys, rotating active keys (which archives the previous active key while creating a new one), exporting keys for backup, importing customer-supplied keys (BYOK), archiving keys (still usable for decryption but not new encryption), and destroying keys permanently. All operations are managed through the Key Management Setup page.

Key Management is the operational discipline that makes Platform Encryption usable in practice. Without good key management, encryption becomes either a security risk (poor key hygiene) or an operational nightmare (data lockouts from key destruction). Mature organizations build runbooks for key operations, define rotation schedules tied to compliance requirements, separate duties between key administrators and other admins, and audit key usage regularly. BYOK adds another layer where customers control key generation and storage in external systems, often required for the most security-sensitive industries.

How Organizations Use Encryption Key Management

•Coastal Health — Uses BYOK with their external KMS to maintain complete control over encryption keys. The HIPAA compliance program required customer-managed keys.
•Redwood Financial — Built a key management runbook covering rotation, backup, and destruction procedures with explicit approval steps for destructive operations.
•ShieldGuard Security — Audits key management actions through audit logs as part of their quarterly security review, verifying that operations followed approved procedures.