Key Management
Key Management is a Setup page where administrators manage encryption keys used by Shield Platform Encryption, including generating new tenant secrets, rotating keys, archiving old secrets, and configuring key material sources.
Definition
Key Management is a Setup page where administrators manage encryption keys used by Shield Platform Encryption, including generating new tenant secrets, rotating keys, archiving old secrets, and configuring key material sources. Proper key management ensures that encrypted data remains secure and recoverable.
In plain English
“Here's a simple way to think about it: Key Management is where Shield Platform Encryption keys live. Generate, rotate, archive - each step has the potential to lock the org out of its own data if done wrong. Treat it like production database operations.”
Worked example
Following their annual security policy, the admin at FinServe Bank navigates to Key Management and rotates the tenant secret used for Platform Encryption. The old secret is archived (existing data remains readable), and a new secret is generated. She then initiates a background re-encryption process to encrypt all existing records with the new key material.
Why Key Management is the last surface anyone wants to figure out as they go
Shield Platform Encryption is the feature that encrypts your sensitive data at rest. Key Management is the page where the keys that do the encrypting actually live. Generate a tenant secret, rotate keys on a schedule, archive old secrets so previously-encrypted data still decrypts, plug in customer-managed key sources for the strictest compliance posture. Each step looks routine; each one has the potential to render data unreadable if you do it wrong.
The reason it earns more documentation than most pages is the asymmetry of consequences. A wrong page-layout change inconveniences a few users for a few minutes; a wrong key-rotation step can lock the org out of its own historical records. Treat Key Management as production database operations. Document every action, sandbox-test rotations end-to-end before touching production, and never skip the archive step when retiring a key.
How to set up Key Management
Key Management is the Tenant Secret rotation interface for Shield Platform Encryption — generate new keys, mark them active, archive old ones. Periodic rotation reduces blast radius if a key is compromised. The bulk of Shield admin time is here.
- Open Setup → Key Management
Setup gear → Quick Find: Key Management → Key Management.
- Review the active Tenant Secret
Each org has one Active Tenant Secret per data type (data, search index, files). The Active key encrypts new writes; older Archived keys can still decrypt existing data.
- Click Generate Tenant Secret
Salesforce generates a new key. The old key auto-archives.
- (For BYOK) Upload your own key
Bring Your Own Key path: generate a key in your HSM / KMS, upload to Salesforce, and Salesforce uses it to derive the actual encryption keys.
- (Optional) Export the Tenant Secret
Useful for backup / audit. Export is irreversible — once printed, the key material lives in your system too.
- Set rotation cadence
No automatic rotation — admins schedule (or manually trigger) key generation. NIST recommends at least annually.
Salesforce-managed. Quick, no DNS changes.
Bring Your Own Key. You control key custody; Salesforce uses the key but doesn't have the master copy.
Backup the key material to your own systems. Irreversible — once exported, you assume responsibility for security of the exported copy.
Active encrypts new data. Archived keys still decrypt existing data — don't delete them or you lose access to data encrypted with that key.
- Deleting an Archived Tenant Secret destroys access to all data encrypted with that key. Salesforce keeps Archived keys forever by design. Don't try to delete unless you're certain no data references it.
- Key rotation re-encrypts data over time via background jobs — not instantly. After generating a new key, run Setup → Encryption Statistics to monitor re-encryption progress.
- BYOK adds significant operational complexity. Lose the key in your HSM, and your data becomes permanently unrecoverable. Most orgs use Salesforce-Managed unless compliance forces BYOK.
How organizations use Key Management
Customer-managed key configuration ensures Salesforce administrators can't access encrypted data without explicit key release; compliance posture defensible.
Quarterly key rotation runs sandbox-tested; the operation is documented and repeatable.
Trade-secret encryption keys archived per regulatory retention rules; old data still decrypts via archived secrets.
Trust & references
Straight from the source - Salesforce's reference material on Key Management.
- How Shield Platform Encryption WorksSalesforce Help
Test your knowledge
Q1. Why is understanding Key Management important for Salesforce admins?
Q2. Can a Salesforce admin configure Key Management without writing code?
Q3. In which area of Salesforce would you typically find Key Management?
Discussion
Loading discussion…