function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
suresh t 11suresh t 11 

How do we decrypt data, that was encrypted using platform encryption?

I have enabled platform encryption in my org. i want to decrypt that data using tenant secret ? please explain
pconpcon
Once you have enabled and configured it, there should be nothing other than user permissions required to decrypt the data [1].

[1] https://help.salesforce.com/HTViewHelpDoc?id=security_pe_permissions.htm&language=en_US (https://help.salesforce.com/HTViewHelpDoc?id=security_pe_permissions.htm&language=en_US)
suresh t 11suresh t 11

Hi Pcon
Thanks for reply

My question is ..
We can export tenant secret key for data access in cases where we need to gain access to the related data again.

 i have generated new tenant secrets. How to decrypt data that was encrypted with old tenant secret?
Peter_sfdcPeter_sfdc
When you generate a new tenant secret the old secret(s) remain in your org, archived. Any data that is stored subsequent to rotation will be encrypted with the new key (derived from the new tenant secret).

Data that was stored with the old tenant secret will be retrieved using the key derived from the old archived tenant secret. When that record is stored again, it will be re-encrypted with the new tenant secret. 

The export of the tenant secret is for backup purposes. You can add it back to your org anytime you want. Last I looked, I believe you needed to do this with data loader or some other API tool. 

I think you might want to read the white paper (https://www.salesforce.com/assets/pdf/misc/Platform_Encryption_Architecture_White_Paper.pdf" target="_blank) on platform encryption architecture. This goes into explicit detail exactly how the key lifecycle works and how keys and secrets are encrypted and decrypted. 
suresh t 11suresh t 11
Thanks Peter.... i.e Best answer
Now i Have one doubt
Why do we need to generate new tenant secret?  ...  ANs: As per the doc, it is based on our orgonization policy..
Give me some example or some cenario?  when we go for tenant secret genararion? if i did not use tenant secret what might be the problem? 
raju.Braju.B
Hi,

where we will use the generated Tenant key?? Really I dont understand the purpose of Tenant key.

Please help me out on this..

Thanks,
​Raju.K
Ajay K DubediAjay K Dubedi
Hi Suresh,

Shield Platform Encryption gives your data a whole new layer of security while preserving critical platform functionality. It enables you to encrypt sensitive data at rest and not just when transmitted over a network, so your company can confidently comply with privacy policies, regulatory requirements and contractual obligations for handling private data. Shield Platform Encryption builds on the data encryption options that Salesforce offers out of the box. Data stored in many standard and custom fields and in files and attachments is encrypted using an advanced HSM-based key derivation system, so it is protected even when other lines of defense have been compromised.

Shield Platform Encryption relies on a unique tenant secret that you control and a master secret that's maintained by Salesforce. We combine these secrets to create your unique data encryption key. We use that key to encrypt data that your users put into Salesforce, and to decrypt data when your authorized users need it.

Important Links:
https://resources.docs.salesforce.com/202/latest/en-us/sfdc/pdf/salesforce_platform_encryption_implementation_guide.pdf
https://resources.docs.salesforce.com/206/latest/en-us/sfdc/pdf/salesforce_platform_encryption_tipsheet.pdf 

Regards,
Ajay