function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Raphaël Jozeau 8Raphaël Jozeau 8 

Unable to login to new sandbox - Encryption Key Unavailable


For a Salesforce Org, in Production a Master Encryption key has been setup. I tried to create a sandbox, but, when  I login, I cannot access a screen, I have the following error message  : 


Encryption Key Unavailable
The encryption key number 1 used to encrypt this data was deleted. Contact your administrator to get access to the data. 

It makes it impossible to use the sandbox. Does any of you every had a similar issue? Or a clue how to solve this?

Thanks in advance ! 


Raj VakatiRaj Vakati
I guess this might be the reason 
  1. Your Encryption Key might be deleted by other user 
  2. Your Encryption Key was not copied as part of the salesforce refresh 
Please check 

Export and delete keys with care. If your key is destroyed, you must reimport it to access your data. You are solely responsible for making sure your data and keys are backed up and stored in a safe place. Salesforce cannot help you with deleted, destroyed or misplaced k
Raphaël Jozeau 8Raphaël Jozeau 8

Thanks a lot for your answer ! 

Indeed I believe the key was not copied as part of the refresh, but since it's a DEV sandbox, I have no data at all, so it's strange I cannot access a single page.

Just to be sure : your suggestion is to archive (store securely) and delete the encryption key in Production, then make another sandbox?

Hrushi DasuHrushi Dasu
Hi Raphael,

Refreshing a sandbox from a production org creates an exact copy of the production org. If Shield Platform Encryption is enabled on the production org, all encryption settings are copied, including tenant secrets created in production. Once a sandbox is refreshed, tenant secret changes are confined to your current org. This means that when you rotate or destroy a tenant secret on sandbox, it doesn’t affect the production org.
As a best practice, rotate tenant secrets on sandboxes after a refresh. Rotation ensures that production and sandbox use different tenant secrets. Destroying tenant secrets on a sandbox renders encrypted data unusable in cases of partial or full copies.

So try importing the same key from production once and test it, that might help else unfortunately you need to refresh the sandbox org again.

Let us know if the above workaround helps.
Arturo Ordoqui 9Arturo Ordoqui 9

I'm having a similar issue.

I'm able to log into Production with no issue.  I refreshed a Dev sandbox (iow no data) and when I login in, I'm prompted to connect it to the Salesforce Authenticator App.  Able to add the login no problem and then get the same message that Raphaël reported. 
screenshot of message that says Encryption Key Unavailable The encryption key number 1 used to encrypt this data was deleted. Contact your administrator to get access to the data.

The org does not have shield enabled and I went to Security Keys and it is present and not deleted. 

screenshot of the master key encryption showing it active and not deleted

Is there something that's changed in how Sandbox refresh needs to be preformed so that the key is copied from production? I logged out and logged back in to the sandbox and it prompts me to reconnect the login to MFA Salesforce Authenticator app so I figure something got messed up, but not sure how to resolve since I can't access any of the Setup menu items to add a key. 

Arturo Ordoqui 9Arturo Ordoqui 9
I removed the 'Multi-Factor Authentication for User Interface Logins' System Permission from my System Admin User (It was assigned via a Permission Set) and then refreshed the Dev Sandbox and was able to access it with no issue as normal.