Newer Version Available

This content describes an older version of this product. View Latest

Encrypting Platform Event Messages at Rest in the Event Bus

For increased security, you can enable encryption of platform event messages while they’re stored in the event bus in a Shield Encryption org.

When you enable encryption of platform events in a Shield Encryption org, event messages are encrypted using the key that is based on the event bus tenant secret type. The encrypted event messages are stored in the event bus for up to 3 days (or 1 day for standard-volume events). The encryption applies to all custom and standard platform events, including Salesforce Event Monitoring streamed events.

To enable encryption and delivery of platform events, first create an event bus tenant secret on the Key Management page in Setup. Then enable encryption of platform events on the Encryption Policy page.

If you don’t enable encryption of platform events in a Shield Encryption org, event messages are stored in clear text in the event bus.

Decrypting Platform Event Messages Before Delivery

Before delivering a platform event message to a subscribed client, the event payload is decrypted using the encryption key. The platform event message is sent over a secure channel using HTTPS and TLS, which ensures that the data is protected and encrypted while in transit. If the encryption key was rotated and a new key is issued, stored event messages are not re-encrypted, but they are decrypted before delivery using the archived key. If a key is destroyed, stored event messages can't be decrypted and aren't delivered.

Classic Encryption is not supported.

Note

Error Status Code

If you enable encryption and an event message could not be published due to an encryption failure, the publish operation returns the PLATFORM_EVENT_ENCRYPTION_ERROR status code. For more information, see Platform Event Error Status Codes.

Enable Encryption of Platform Events

To enable encryption of platform event messages at rest, generate an event bus tenant secret and then enable encryption.

Prerequisites:

  • A Shield Platform Encryption org.

  • User Permissions Needed
    To manage tenant secrets: Manage Encryption Keys

    Only authorized users can generate tenant secrets from the Platform Encryption page. Ask your Salesforce admin to assign the Manage Encryption Keys permission to you.

Steps:

  1. To generate an event bus tenant secret, from Setup, in the Quick Find box, enter Platform Encryption, and then select Key Management.
  2. In the Choose Tenant Secret Type dropdown list, choose Event Bus.
  3. Click Generate Tenant Secret or, to upload a customer-supplied tenant secret, click Bring Your Own Key.
    Generate a tenant secret in the Key Management page
    • If your org has no tenant secrets, perform Step 3 before Step 2.
    • You can generate or rotate an event bus tenant secret once every 7 days.
    • You can also generate a tenant secret through SOAP API or REST API using the TenantSecret object and the Type field value of EventBus. For more information, see TenantSecret in the Object Reference for Salesforce and Lightning Platform.

    Note

  4. To enable encryption, from Setup, in the Quick Find box, enter Platform Encryption, and then select Encryption Policy.
  5. Select Encrypt and deliver change data capture events and platform events.

    You can access and control this setting in Metadata API, in PlatformEncryptionSettings. Ensure that the event bus tenant secret is created before setting enableEventBusEncryption to true.

    Note

  6. Click Save.

When you enable encryption for platform events, you also enable it for change data capture events. For more information, see Change Events for Encrypted Salesforce Data in the Change Data Capture Developer Guide.