Salesforce Security Guide
j
No Results
Search Tips:
- Please consider misspellings
- Try different search keywords
Troubleshooting Bring Your Own Key
Read these frequently asked questions to help you troubleshoot any problems that
arise with Shield Platform Encryption’s Bring Your Own Key service.
| Available in both Salesforce Classic (not available in all orgs) and Lightning Experience. |
| Available as an add-on subscription in: Enterprise, Performance, and Unlimited Editions. Requires purchasing Salesforce Shield or Shield Platform Encryption. Available in Developer Edition at no charge. |
- I’m trying to use the script you provide, but it doesn’t run.
- Make sure that you’re running the right script for your operating system. If
you’re working on a Windows machine, you can install a Linux emulator and use
the Linux script. These issues can also prevent the script from running:
- You don’t have write permission in the folder you’re trying to run the script from. Try running the script from a folder that you have write permission for.
- The certificate that the script references is missing. Make sure you’ve properly generated the certificate.
- The certificate is missing or isn’t being referenced by the correct name. Make sure you’ve entered the correct file name for your certificate in the script.
- I want to use the script you provide, but I also want to use my own random number generator.
- The script we provide uses a random number generator to create a random value that is then used as your tenant secret. If you want to use a different generator, replace head -c 32 /dev/urandom | tr '\n' = (or, in the Mac version, head -c 32 /dev/urandom > $PLAINTEXT_SECRET) with a command that generates a random number using your preferred generator.
- What if I want to use my own hashing process to hash my tenant secret?
- No problem. Make sure that the result meets these requirements:
- Uses an SHA-256 algorithm.
- Results in a base64 encoded hashed tenant secret.
- Generates the hash of the random number BEFORE encrypting it.
- How should I encrypt my tenant secret before I upload it to Salesforce?
- If you’re using the script provided, the encryption process is taken care of. If you don’t use the script, specify the OAEP padding scheme when you encrypt your tenant secret. Make sure the resulting encrypted tenant secret and hashed tenant secret files are encoded using base64. If either of these criteria aren’t met, you can’t upload your tenant secret.
- If you choose to not use the script provided, follow the instructions in the Generate And Wrap Your Tenant Secret Help topic.
- My wrapped DEK isn’t accepted. What do I do?
- Make sure that you wrap your root-key generated DEKs (such as for Search Index Encryption and Database Encryption) with the public key from the BYOK-compatible certificate that you generated by using the SHA512 padding algorithm. Wrap your other BYOK tenant secrets by using the SHA1 algorithm.
- My certificate is about to expire. What do I do?
- An expired certificate doesn’t affect the active state of the secret that it wraps. Your certificate gives assurance to the recipient that the received secret was sent and wrapped by you. If you use an expired certificate, your secret is still protected, but the receiving party is notified that the certificate is expired. Salesforce doesn’t block your secret if it’s wrapped with an expired certificate. Note that you can’t upload a new secret or DEK using an expired secret.
- I can’t upload my Encrypted tenant secret and Hashed tenant secret.
- A handful of errors can prevent your files from uploading. Use the chart to
make that sure your tenant secrets and certificates are in order.
Possible cause Solution Your files were generated with an expired certificate. Check the date on your certificate. If it has expired, you can renew your certificate or use another one. Your certificate isn’t active, or isn’t a valid Bring Your Own Key certificate. Ensure that your certificate settings are compatible with the Bring Your Own Key feature. Under the Certificate and Key Edit section of the Certificates page, select a 4096-bit certificate size, disable Exportable Private Key, and enable Platform Encryption. Read more about expired certificates in the “My certificate is about to expire” section. You haven’t attached both the encrypted tenant secret and the hashed tenant secret. Make sure that you attach both the encrypted tenant secret and the hashed tenant secret. Both of these files should have a .b64 suffix. Your tenant secret or hashed tenant secret wasn’t generated properly. Several problems can cause this error. Usually, the tenant secret or hashed tenant secret wasn't generated using the correct SSL parameters. If you’re using OpenSSL, you can refer to the script for an example of the correct parameters you should use to generate and hash your tenant secret. If you’re using a library other than OpenSSL, check that library's support page for help with finding the correct parameters to both generate and hash your tenant secret. Still stuck? Contact your Salesforce account executive. They'll put you in touch with someone at Salesforce who can help.
- I’m still having problems with my key. Who should I talk to?
- If you still have questions, contact your account executive. They’ll put you in touch with a support team specific to this feature.