Encrypting Platform Event Messages at Rest in the Event Bus

For increased security, you can enable encryption of platform event messages while they’re stored in the event bus in a Shield Encryption org.

When you enable encryption of platform events in a Shield Encryption org, event messages are encrypted using the key that is based on the event bus tenant secret type. The encrypted event messages are stored in the event bus for up to 3 days (or 1 day for standard-volume events). The encryption applies to all custom and standard platform events, including Salesforce Event Monitoring streamed events.

To enable encryption and delivery of platform events, first create an event bus tenant secret on the Key Management page in Setup. Then enable encryption of platform events on the Encryption Policy page.

If you don’t enable encryption of platform events in a Shield Encryption org, event messages are stored in clear text in the event bus.

Decrypting Platform Event Messages Before Delivery

Before delivering a platform event message to a subscribed client, the event payload is decrypted using the encryption key. The platform event message is sent over a secure channel using HTTPS and TLS, which ensures that the data is protected and encrypted while in transit. If the encryption key was rotated and a new key is issued, stored event messages are not re-encrypted, but they are decrypted before delivery using the archived key. If a key is destroyed, stored event messages can't be decrypted and aren't delivered.

Classic Encryption is not supported.

Note

Error Status Code

If you enable encryption and an event message could not be published due to an encryption failure, the publish operation returns the PLATFORM_EVENT_ENCRYPTION_ERROR status code. For more information, see Platform Event Error Status Codes.

Enable Encryption of Platform Events

To enable encryption of platform event messages at rest, generate an event bus tenant secret and then enable encryption.

Prerequisites:

  • A Shield Platform Encryption org.

  • User Permissions Needed
    To manage tenant secrets: Manage Encryption Keys

    Only authorized users can generate tenant secrets from the Platform Encryption page. Ask your Salesforce admin to assign the Manage Encryption Keys permission to you.

  • Before generating an Event Bus tenant secret, you must have an active Fields and Files (Probabilistic) or Fields (Deterministic) tenant secret. For instructions, see Generate a Tenant Secret with Salesforce in Salesforce Help.

Steps:

  1. To generate an event bus tenant secret, from Setup, in the Quick Find box, enter Platform Encryption, and then select Key Management.
  2. In the Key Management Table, select Event Bus.
  3. Click Generate Tenant Secret or, to upload a customer-supplied tenant secret, click Bring Your Own Key.
    Generate a tenant secret in the Key Management page

    Note

  4. To enable encryption, from Setup, in the Quick Find box, enter Platform Encryption, and then select Encryption Settings.
  5. Turn on Encrypt Change Data Capture Events and Platform Events.

When you enable encryption for platform events, you also enable it for change data capture events. For more information, see Change Events for Encrypted Salesforce Data in the Change Data Capture Developer Guide.