Salesforce Security Guide

Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data’s Security with Shield Platform Encryption
What You Can Encrypt
Platform Encryption Q&A
How Encryption Works
Set Up Your Encryption Policy
Filter Encrypted Data with Deterministic Encryption
Key Management and Rotation
Work with Salesforce Key Material
Get Statistics About Your Encryption Coverage
Synchronize Your Data Encryption
Work with External Key Material
Bring Your Own Key (BYOK)
Bring Your Own Key Overview
Generate a BYOK-Compatible Certificate
Generate and Wrap BYOK Key Material
Sample Script for Generating a BYOK Tenant Secret
Upload Your BYOK Key Material
Opt Out of Key Derivation with BYOK
Take Good Care of Your BYOK Keys
Troubleshooting Bring Your Own Key
External Key Management
Cache-Only Key Service
Configure Your Cache-Only Key Callout Connection
Shield Platform Encryption Customizations
Encryption Trade-Offs
Audit and Monitor Your Organization’s Security
Real-Time Event Monitoring
Security Guidelines for Apex and Visualforce Development
API End-of-Life Policy
PDF

Generate a BYOK-Compatible Certificate

To encrypt data in Salesforce with Bring Your Own Key (BYOK) key material, use Salesforce to generate a 4096-bit RSA certificate. You can generate a self-signed or certificate-authority (CA) signed certificate. Each BYOK-compatible certificate’s private key is encrypted with a derived, org-specific tenant secret key.
Available in both Salesforce Classic (not available in all orgs) and Lightning Experience.
Available as an add-on subscription in: Enterprise, Performance, and Unlimited Editions. Requires purchasing Salesforce Shield or Shield Platform Encryption. Available in Developer Edition at no charge.

User Permissions Needed
To generate, destroy, export, import, upload, and configure tenant secrets and customer-supplied key material: Manage Encryption Keys
Edit, upload, and download HSM-protected certificates with the Shield Platform Encryption Bring Your Own Key service Manage Certificates

AND

Customize Application

AND

Manage Encryption Keys

This task shows how to create a self-signed certificate using Setup. If you’re not sure whether a self-signed or CA-signed certificate is right for you, consult your organization’s security policy. For more information about what each option implies, see Certificates and Keys.

To create a CA-signed certificate, follow the instructions in Generate a Certificate Signed By a Certificate Authority. To make sure that your certificate is BYOK-compatible, remember to manually change the Exportable Private Key, Key Size, and Platform Encryption settings.

To create a self-signed certificate:

  1. From Setup, in the Quick Find box, enter Platform Encryption, and then select Key Management.
  2. Click Bring Your Own Key.
  3. Click Create Self-Signed Certificate.
  4. Enter a unique name for your certificate in the Label field. The Unique Name field automatically assigns a name based on what you enter in the Label field.

    The Exportable Private Key (1), Key Size (2), and Use Platform Encryption (3) settings are preset. (For a BYOK certificate, you must select 4096 for the key size). These settings ensure that your self-signed certificate is compatible with Salesforce Shield Platform Encryption.

    BYOK-compatible self-signed certificate settings

  5. When the Certificate and Key Detail page appears, click Download Certificate.