Salesforce Security Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data’s Security with Shield Platform Encryption
What You Can Encrypt
Platform Encryption Q&A
How Encryption Works
Set Up Your Encryption Policy
Filter Encrypted Data with Deterministic Encryption
Key Management and Rotation
Work with Salesforce Key Material
Get Statistics About Your Encryption Coverage
Synchronize Your Data Encryption
Work with External Key Material
Bring Your Own Key (BYOK)
Bring Your Own Key Overview
Generate a BYOK-Compatible Certificate
Generate and Wrap BYOK Key Material
Sample Script for Generating a BYOK Tenant Secret
Upload Your BYOK Key Material
Opt Out of Key Derivation with BYOK
Take Good Care of Your BYOK Keys
Troubleshooting Bring Your Own Key
External Key Management
Cache-Only Key Service
Configure Your Cache-Only Key Callout Connection
Shield Platform Encryption Customizations
Encryption Trade-Offs
Audit and Monitor Your Organization’s Security
Real-Time Event Monitoring
Security Guidelines for Apex and Visualforce Development
API End-of-Life Policy
PDF

Opt Out of Key Derivation with BYOK

If you don’t want Shield Platform Encryption to derive a data encryption key for you, you can opt out of key derivation and upload your own DEK. Opting out gives you even more control of the key material used to encrypt and decrypt your data.
Available in both Salesforce Classic (not available in all orgs) and Lightning Experience.
Available as an add-on subscription in: Enterprise, Performance, and Unlimited Editions. Requires purchasing Salesforce Shield or Shield Platform Encryption. Available in Developer Edition at no charge.

User Permissions Needed
To generate, destroy, export, import, and upload tenant secrets and customer-supplied key material: Manage Encryption Keys
To allow BYOK to opt out of key derivation: Customize Application

AND

Manage Encryption Keys

This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?

Note

Generate your customer-supplied data encryption key using a method of your choice. Then calculate an SHA256 hash of the key, and encrypt it with the public key from a BYOK-compatible certificate. See Upload Your BYOK Key Material for details about how to prepare customer-supplied key material.

  1. Make sure that your org has the Bring Your Own Keys feature enabled. To enable this feature, contact Salesforce Customer Support.
  2. From Setup, in the Quick Find box, enter Encryption Settings, and then select Encryption Settings.
  3. In the Advanced Encryption Settings section, turn on Allow BYOK to Opt-Out of Key Derivation.
    You can also enable the Allow BYOK to Opt-Out of Key Derivation setting programmatically. See EncryptionKeySettings in the Metadata API Developer Guide.
    You can now opt out of key derivation when you upload key material.
  4. From Setup, in the Quick Find box, enter Key Management, and then select Key Management.
  5. In the Key Management Table, select a key type.
  6. Click Bring Your Own Key.
  7. Deselect Use Salesforce key derivation.
    Uncheck Use Salesforce key derivation option
  8. In the Upload Tenant Secret section, attach your encrypted data encryption key and your hashed plaintext data encryption key.
  9. Click Upload.
    This data encryption key automatically becomes the active key. From now on, the Shield Key Management Service (KMS) skips the derivation process and uses your data encryption key to directly encrypt and decrypt your data. You can review the derivation status of all key material on the Key Management page.
    An uploaded tenant secret becomes the active secret.
  10. Export your data encryption key and back it up as prescribed in your organization’s security policy.
    To restore your data encryption key, reimport it. The exported data encryption key is different from the data encryption key that you uploaded. It’s encrypted with a different key and has additional embedded metadata. See Back Up Your Tenant Secret in Salesforce Help.