Salesforce Security Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data’s Security with Shield Platform Encryption
What You Can Encrypt
Platform Encryption Q&A
How Encryption Works
Terminology
Components Involved in Deriving Keys
Classic vs Platform Encryption
Key Material Storage
Shield Encryption Flow
Search Index Encryption Flow
Sandbox
Why BYOK?
Masked Data
Hyperforce
Deployment
Set Up Your Encryption Policy
Filter Encrypted Data with Deterministic Encryption
Key Management and Rotation
Shield Platform Encryption Customizations
Encryption Trade-Offs
Audit and Monitor Your Organization’s Security
Real-Time Event Monitoring
Security Guidelines for Apex and Visualforce Development
API End-of-Life Policy
PDF

Why Bring Your Own Key?

Shield Platform Encryption’s Bring Your Own Key (BYOK) feature gives you an extra layer of protection if there’s unauthorized access to critical data. It can also help you meet the regulatory requirements that come with handling financial, health, or personal data. After you set up your key material, use Shield Platform Encryption as you always do to encrypt data at rest in your Salesforce org.

Where possible, we changed noninclusive terms to align with our company value of Equality. We maintained certain terms to avoid any effect on customer implementations.

Important

Available in both Lightning Experience and Salesforce Classic (not available in all orgs).
Available as an add-on subscription in: Enterprise, Performance, and Unlimited Editions. Requires purchasing Salesforce Shield. Available in Developer Edition at no charge.

With Shield Platform Encryption Salesforce administrators can manage the lifecycle of their data encryption keys while protecting these keys from unauthorized access. By controlling the lifecycle of your organization’s tenant secrets, you control the lifecycle of the data encryption keys derived from them. Alternatively, you can opt out of key derivation altogether and upload a final data encryption key.

Data encryption keys aren’t stored in Salesforce. Instead, they’re derived from the primary secret (KDF seed, formerly master secret) and the tenant secret on demand whenever a key is needed to encrypt or decrypt customer data. The primary secret is generated one time per release for everyone during a High Assurance Virtual Ceremony (HAVC) by using a hardware security module (HSM). The tenant secret is unique to your org, and you control when it’s generated, activated, revoked, or destroyed.

You have four options for setting up your key material.

  • Use Shield Platform Encryption to generate your org-specific tenant secrets.
  • Use the infrastructure of your choice, such as an on-premises HSM, to generate and manage your tenant secret outside of Salesforce. Then upload that tenant secret to the regional Salesforce KMS. This option is known as Bring Your Own Key, although the element you’re really bringing is the tenant secret from which the key is derived.
  • Opt out of the Shield Platform Encryption key derivation process with the Bring Your Own Key service. Use the infrastructure of your choice to create a data encryption key instead of a tenant secret. Then upload this data encryption key to the regional Shield KMS. When you opt out of derivation on a key-by-key basis, the Shield Platform Encryption bypasses the derivation process and uses this key material as your final data encryption key. You can rotate customer-supplied data encryption keys just like you can rotate a customer-supplied tenant secret.
  • Generate and store your key material outside of Salesforce by using a key service of your choice. Then use either the External Key Management Service or the Salesforce Cache-Only Key Service to fetch your key material on demand. Your key service transmits your key material over a secure channel that you configure. It’s then encrypted and stored in the cache for immediate encryption and decryption operations.