Salesforce Security Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data’s Security with Shield Platform Encryption
What You Can Encrypt
Platform Encryption Q&A
How Encryption Works
Set Up Your Encryption Policy
Filter Encrypted Data with Deterministic Encryption
Key Management and Rotation
Work with Salesforce Key Material
Get Statistics About Your Encryption Coverage
Synchronize Your Data Encryption
Work with External Key Material
Bring Your Own Key (BYOK)
External Key Management
Cache-Only Key Service
How Cache-Only Keys Works
Prerequisites and Terminology for Cache-Only Keys
Optimize Security Using Named Credentials and Cache-Only Keys
Create and Assemble Your Key Material
Add Replay Detection for Cache-Only Keys
Check Your Cache-Only Key Connection
Destroy a Cache-Only Key
Reactivate a Cache-Only Key
Considerations for Cache-Only Keys
Troubleshoot Cache-Only Keys
Configure Your Cache-Only Key Callout Connection
Shield Platform Encryption Customizations
Encryption Trade-Offs
Audit and Monitor Your Organization’s Security
Real-Time Event Monitoring
Security Guidelines for Apex and Visualforce Development
API End-of-Life Policy
PDF

Considerations for Cache-Only Keys

These considerations apply to all data that you encrypt using the Shield Platform Encryption Cache-Only Key Service.
Available in both Salesforce Classic (not available in all orgs) and Lightning Experience.
Available as an add-on subscription in: Enterprise, Performance, and Unlimited Editions. Requires purchasing Salesforce Shield or Shield Platform Encryption. Available in Developer Edition at no charge.

Named Credentials

To use named principals with the Shield Platform Encryption Cache-Only Keys, create a permission set for external credential principal access, and assign that permission set to the autoproc user. See Use a Named Principal-Based Credential for a Cache-Only Key.

Retry Policy

If Salesforce can’t reach your external key service, the callout fails and your active cache-only key’s status is set to Destroyed. This policy prevents excessive loads on both services. The Cache-Only Key Service then periodically retries the callout to help you minimize down time. Retries occur one time per minute for five minutes, then one time every five minutes for 24 hours. If the Cache-Only Key Service can successfully complete a callout during this retry period, your cache-only key’s status is reset to Active.

At any point during a retry period, you can activate your key material through Setup or the API pending remote key service availability. If you reactivate your key material during the retry period, all retry attempts stop.

The RemoteKeyCalloutEvent object captures every callout to your key service. You can subscribe to this event with after insert Apex triggers, and set up real-time alerts that notify you when a callout fails.

401 HTTP Responses

If there’s a 401 HTTP response, Salesforce automatically refreshes any OAuth token associated with your named credential, and retries the request.

CRM Analytics

Backups of CRM Analytics data are encrypted with your Shield Platform Encryption keys. If you encrypt data in CRM Analytics datasets with a cache-only key, make sure that the Analytics cache-only key is in the same state as your Fields and Files (Probabilistic) cache-only key.

Setup Audit Trail

Setup Audit Trail records activated cache-only key versions differently depending on whether a cache-only key with the Active status exists when you reactivate the key.

However, if you reactivate a destroyed key and there’s already another key with the Active status, the Setup Audit Trail shows the reactivated key with an updated version number.

Cache-Only Keys and Key Types

Use a separate cache-only key for each type of data you want to encrypt. You can’t use a cache-only key with multiple key types. For example, you can’t use a cache-only key to encrypt both search indexes and CRM Analytics data.

Service Protections

To protect against Shield KMS interruptions and ensure smooth encryption and decryption processes, you can have up to 10 active and archived cache-only keys of each type.

If you reach your key limit, destroy an existing key so that you can create, upload, reactivate, rearchive, or create a callout to another one. Remember to synchronize your data with an active key before destroying key material.

Hyperforce Migration

When your org moves from a non-Hyperforce platform to Hyperforce, you may need to revisit your AWS KMS IP connection settings. We recommend that Hyperforce customers adopt the best practices listed in the topic Preferred Alternatives to IP Allowlisting on Hyperforce as soon as possible.