1. From Setup, in the Quick Find box, enter PlatformEncryption, and then select KeyManagement.
2. Click Bring Your Own Key.
3. In the Upload Tenant Secret section, attach both the encrypted key material and the hashed plaintext key material. Click Upload. This tenant secret automatically becomes the active tenant secret.Note The tenant secret whose certificate has the latest expiration dateautomatically becomes the active tenant secret.Your tenant secret is now ready to be used for key derivation. From here on,the Shield Key Management Service (KMS) uses your tenant secret to derive anorg-specific data encryption key. The app server then uses this key toencrypt and decrypt your users’ data.
4. Export your tenant secret and back it up as prescribed in your organization’s security policy.To restore your tenant secret, reimport it. The exported tenant secret is different from the tenant secret you uploaded. It’s encrypted with a different key and has additional metadata embedded in it. See Back Up Your TenantSecret in Salesforce Help.