Key Management
Key Management in Salesforce is the umbrella for the operations administrators perform on the cryptographic keys protecting data at rest: generating new tenant secrets, importing customer-generated keys for BYOK, configuring Cache-Only Key Service endpoints, rotating active secrets on schedule, archiving older secrets, and destroying compromised or retired keys.
Definition
Key Management in Salesforce is the umbrella for the operations administrators perform on the cryptographic keys protecting data at rest: generating new tenant secrets, importing customer-generated keys for BYOK, configuring Cache-Only Key Service endpoints, rotating active secrets on schedule, archiving older secrets, and destroying compromised or retired keys. The Key Management tab inside Encryption Settings is the primary admin surface for these operations; behind it, the platform handles the cryptographic mechanics (key derivation, IV generation, ciphertext production) without exposing the details.
Key management is the highest-stakes administrative responsibility in any Salesforce org running Shield. Mistakes have consequences ranging from compliance violations (failing to rotate per policy) to catastrophic data loss (destroying a key while data still depends on it). Most orgs reserve Key Management permissions to a small named group of administrators, audit the permission set quarterly, and require multi-party approval for any destructive operation. The discipline matters: the platform makes the operations easy to execute, but the irreversibility of some operations demands procedural safeguards beyond what the UI provides.
How Key Management works in Salesforce
Tenant secret lifecycle
Each tenant secret moves through states: Generated (newly created, available for use), Active (currently used for new encryption), Archived (retired from new encryption but still available for decrypting older data), and Destroyed (permanently invalidated). Most orgs rotate by generating a new secret which becomes Active, while the previous becomes Archived. Archived secrets remain valuable; deleting them too early leaves older data inaccessible.
Generation operations
Salesforce-Managed keys generate directly through the Key Management tab; the platform creates the secret without customer involvement. BYOK requires the customer to generate the secret externally (typically in an HSM) and upload it wrapped under a Salesforce-provided wrapping key. Cache-Only requires configuration of the external KMS endpoint and authentication; the secret never lives on Salesforce.
Rotation operations
Rotation is the act of generating a new active secret while archiving the previous. Non-disruptive: new writes use the new secret; old data decrypts under the archived secret. Most compliance regimes require rotation on a schedule (annually for many financial services; quarterly for stricter regimes). Set a calendar reminder; automated rotation is not built in, though Apex schedulers can trigger the operation.
Mass Encryption after rotation
After rotation, older data remains encrypted under the previous secret. To fully retire the old secret, you must re-encrypt the older data under the new secret. The Mass Encryption job under Encryption Statistics does this. Plan it after rotation; without it, the old secret cannot be safely archived or destroyed because data still depends on it.
Destruction and the irreversible boundary
Destroying a tenant secret is permanent. All data encrypted under it becomes unrecoverable: by Salesforce, by the customer, by anyone. This is the security feature for "the auditor wants proof we can revoke our own data" scenarios, and the hazard for accidental data loss. Build approval workflows around destruction: require two named approvers, a timed delay, and explicit confirmation that no data still depends on the secret.
Permissions to manage keys
The Manage Encryption Keys permission gates every key operation. Assign sparingly: a small named group of administrators, audited quarterly. The permission is in the same permission family as Modify All Data but more sensitive because key destruction is irreversible. Even compromised admin accounts with this permission can cause unrecoverable damage; consider pairing with stricter MFA requirements for users holding it.
Audit and compliance
Setup Audit Trail logs key operations: generation, rotation, archive, destruction. Compliance teams expect to see these events for evidence of policy adherence. Configure exports to an external SIEM if your retention requirement exceeds Salesforce's default. Document the named individuals authorized for each operation type; the audit log shows who performed each action.
Manage Shield encryption keys
Key Management is recurring administrative work. The steps below cover the initial setup and the recurring rotation cycle that compliance regimes typically require.
- Confirm Shield license
Without Shield, the Key Management tab is inactive. Confirm provisioning before planning any operations.
- Choose the key model
Salesforce-Managed, BYOK, or Cache-Only. Decide based on compliance requirements; document the choice and the reasons.
- Generate the initial tenant secret
Encryption Settings > Key Management > Generate Tenant Secret. The first secret activates immediately.
- Configure rotation schedule
Add the rotation cadence to your security calendar. Annual is common; quarterly for strict compliance. Document who is authorized to perform the rotation.
- Execute rotation
On the scheduled date, Encryption Settings > Key Management > Generate Tenant Secret. The new secret becomes Active; the previous Archived.
- Run Mass Encryption
Encryption Statistics > Encrypt Unencrypted Data (or the equivalent re-encryption operation). This re-derives keys for older data under the new tenant secret.
- Audit the operations
Setup Audit Trail > filter to key operations. Confirm the rotation appears with the expected admin name and timestamp. Capture screenshots for compliance documentation.
Create a new secret. The standard operation for first-time setup and rotation.
Upload externally generated key material. Customer retains the master copy.
Configure external KMS endpoint. Secret never lives on Salesforce.
Retire a secret from new encryption. Still available for decryption.
Permanently invalidate a secret. Irreversible; data encrypted under it is unrecoverable.
- Destruction is irreversible. Build approval workflows; accidental destruction is unrecoverable.
- Rotation without Mass Encryption leaves old secrets in use indefinitely. The rotation becomes meaningless for the older data.
- Archived secrets cannot be deleted while data depends on them. Confirm no data depends before destroying.
- Manage Encryption Keys is a powerful permission. Audit assignments quarterly; over-assignment is the leading risk.
- Automated rotation is not built in. Set calendar reminders or build a custom Apex scheduler.
Trust & references
Straight from the source - Salesforce's reference material on Key Management.
- How Shield Platform Encryption WorksSalesforce Help
About the Author
Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.
Test your knowledge
Q1. Why is understanding Key Management important for Salesforce admins?
Q2. Can a Salesforce admin configure Key Management without writing code?
Q3. In which area of Salesforce would you typically find Key Management?
Discussion
Loading discussion…