Salesforce Security Guide

Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data's Security with Shield Platform Encryption
Encrypt Fields, Files, and Other Data Elements With Encryption Policy
Filter Encrypted Data with Deterministic Encryption
Manage Shield Platform Encryption
Generate a Secret
Generate a Tenant Secret with Salesforce
Manage Tenant Secrets by Type
Generate Your Own Tenant Secret (BYOK)
Generate a BYOK-Compatible Certificate
Generate and Wrap Your Tenant Secret
Upload Your Tenant Secret
Opt-Out of Key Derivation with BYOK
Rotate Keys
Export a Key
Destroy a Key
Stop Encryption
Require Two-Factor Authentication for Key Management
How Encryption Works
Encryption Best Practices
Encryption Trade-Offs
Monitoring Your Organization’s Security
Security Guidelines for Apex and Visualforce Development
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Upload Your Tenant Secret

Once you have your tenant secret, upload it to Salesforce. The Shield Key Management Service (KMS) uses your tenant secret to derive your org-specific data encryption key.
Available as an add-on subscription in: Enterprise, Performance, and Unlimited Editions. Requires purchasing Salesforce Shield. Available in Developer Edition at no charge for orgs created in Summer ’15 and later.
Available in both Salesforce Classic and Lightning Experience.

User Permissions Needed
To manage key material:

Manage Encryption Keys

AND

Manage Certificates
  1. From Setup, in the Quick Find box, enter Platform Encryption, and then select Key Management.
  2. Click Bring Your Own Key.
  3. In the Upload Tenant Secret section, attach both the encrypted key material and the hashed plaintext key material. Click Upload.
    Upload tenant secret

    This tenant secret automatically becomes the active tenant secret.

    The tenant secret whose certificate has the latest expiration date automatically becomes the active tenant secret.

    Note

    Your tenant secret is now ready to be used for key derivation. From here on, the Shield Key Management Service (KMS) uses your tenant secret to derive an org-specific data encryption key. The app server then uses this key to encrypt and decrypt your users’ data.

  4. Export your tenant secret and back it up as prescribed in your organization’s security policy.
    To restore your tenant secret, reimport it. The exported tenant secret is different from the tenant secret you uploaded. It’s encrypted with a different key and has additional metadata embedded in it. See Back Up Your Tenant Secret in Salesforce Help.

This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?

Note