Salesforce Security Guide

Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data’s Security with Shield Platform Encryption
What You Can Encrypt
Platform Encryption Q&A
How Encryption Works
Set Up Your Encryption Policy
Filter Encrypted Data with Deterministic Encryption
Key Management and Rotation
Work with Key Material
Rotate Keys
Back Up Your Tenant Secrets
Get Statistics About Your Encryption Coverage
Synchronize Your Data Encryption
Destroy a Key
Require Multi-Factor Authentication for Key Management
Bring Your Own Key (BYOK)
Bring Your Own Key Overview
Generate a BYOK-Compatible Certificate
Generate and Wrap BYOK Key Material
Sample Script for Generating a BYOK Tenant Secret
Upload Your BYOK Tenant Secret
Opt Out of Key Derivation with BYOK
Take Good Care of Your BYOK Keys
Troubleshooting Bring Your Own Key
Cache-Only Key Service
Shield Platform Encryption Customizations
Encryption Trade-Offs
Audit and Monitor Your Organization’s Security
Real-Time Event Monitoring
Security Guidelines for Apex and Visualforce Development
API End-of-Life Policy
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Upload Your BYOK Tenant Secret

After you have your BYOK-compatible tenant secret, upload it to Salesforce. The Shield Key Management Service (KMS) uses your tenant secret to derive your org-specific data encryption key.
Available as an add-on subscription in: Enterprise, Performance, and Unlimited Editions. Requires purchasing Salesforce Shield or Shield Platform Encryption. Available in Developer Edition at no charge.
Available in both Salesforce Classic and Lightning Experience.

User Permissions Needed
To generate, destroy, export, import, and upload tenant secrets and customer-supplied key material:

Manage Encryption Keys
  1. From Setup, in the Quick Find box, enter Platform Encryption, and then select Key Management.
  2. In the Key Management Table, select a key type.
  3. Click Bring Your Own Key.
  4. In the Upload Tenant Secret section, attach both the encrypted key material and the hashed plaintext key material. Click Upload.
    Upload tenant secret

    This tenant secret automatically becomes the active tenant secret.

    Your tenant secret is now ready to be used for key derivation. From here on, the Shield KMS uses your tenant secret to derive an org-specific data encryption key. The app server then uses this key to encrypt and decrypt your users’ data.

    If you don’t want Salesforce to derive a data encryption key for you, you can opt out of key derivation and upload your own final data encryption key. For more information, see Opt-Out of Key Derivation with BYOK in Salesforce Help.

    You can have up to 50 active and archived tenant secrets of each type. For example, you can have one active and 49 archived Fields and Files (Probabilistic) tenant secrets, and the same number of Analytics tenant secrets. This limit includes Salesforce-generated and customer-supplied key material.

    If you reach the limit, destroy an existing key before reactivating, rearchiving, or creating a callout to another one. Before destroying a key, synchronize the data that it encrypts with an active key.

    Note

  5. Export your tenant secret, and back it up as prescribed in your organization’s security policy.
    To restore a destroyed tenant secret, reimport it. The exported tenant secret is different from the tenant secret you uploaded. It’s encrypted with a different key and has additional metadata embedded in it. See Back Up Your Tenant Secret in Salesforce Help.

This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?

Note