Migrating to Field Encryption Enterprise
-
- UpdatedJan 30, 2025
- 2 minutes to read
- Yokohama
- Now Platform Security
Scheduled jobs migrate your keys and encrypted data from Encryption Support to Field Encryption Enterprise.
You can review the scheduled jobs by navigating to :
- autoKeyMigration: Migrates encryption context keys to Key Management Framework (KMF) cryptographic module keys.
- autoDataMigration: Migrates data that you already encrypted to use the KMF cryptographic module key.
You can modify when these scheduled jobs run, and can pause or restart them at any time.
- The Method field is Single Module.
- The Crypto module field is populated with the name of the cryptographic module that the system automatically creates. You can review that module and the module access policy, both of which are active and published.
Field Encryption Enterprise and system clones
If Field Encryption Enterprise is installed on your instance, a new field encryption module encryption key is automatically generated on the target clone instance as a part of clone process. These keys are generated for all modules to which the user has access, and that does not have a key already.
Because of this, field encryption modules on the target clone instance may have two module encryption keys present:
- An active module encryption key. This is the new key generated after clone, as long as the module is accessible to the user and has no prior keys.
- A deactivated encryption module key (from the automated key exchange transfer
The active module encryption key is used to encrypt inserted data as needed on the target clone instance. The deactivated module is used to decrypt existing data that was cloned over as part of the system clone.
To use a single key to decrypt and encrypt all data, you can run a module rekeying job. For more information about module rekeying jobs, see Schedule mass encryption, decryption, and rekeying jobs.