Why Bring Your Own Key?
Available in both Lightning Experience and Salesforce Classic (not available in all orgs). |
Available as an add-on subscription in: Enterprise, Performance, and Unlimited Editions. Requires purchasing Salesforce Shield. Available in Developer Edition at no charge. |
With Shield Platform Encryption Salesforce administrators can manage the lifecycle of their data encryption keys while protecting these keys from unauthorized access. By controlling the lifecycle of your organization’s tenant secrets, you control the lifecycle of the data encryption keys derived from them. Alternatively, you can opt out of key derivation altogether and upload a final data encryption key.
Data encryption keys aren’t stored in Salesforce. Instead, they’re derived from the primary secret (KDF seed, formerly master secret) and the tenant secret on demand whenever a key is needed to encrypt or decrypt customer data. The primary secret is generated one time per release for everyone during a High Assurance Virtual Ceremony (HAVC) by using a hardware security module (HSM). The tenant secret is unique to your org, and you control when it’s generated, activated, revoked, or destroyed.
You have four options for setting up your key material.
- Use Shield Platform Encryption to generate your org-specific tenant secrets.
- Use the infrastructure of your choice, such as an on-premises HSM, to generate and manage your tenant secret outside of Salesforce. Then upload that tenant secret to the regional Salesforce KMS. This option is known as Bring Your Own Key, although the element you’re really bringing is the tenant secret from which the key is derived.
- Opt out of the Shield Platform Encryption key derivation process with the Bring Your Own Key service. Use the infrastructure of your choice to create a data encryption key instead of a tenant secret. Then upload this data encryption key to the regional Shield KMS. When you opt out of derivation on a key-by-key basis, the Shield Platform Encryption bypasses the derivation process and uses this key material as your final data encryption key. You can rotate customer-supplied data encryption keys just like you can rotate a customer-supplied tenant secret.
- Generate and store your key material outside of Salesforce by using a key service of your choice. Then use either the External Key Management Service or the Salesforce Cache-Only Key Service to fetch your key material on demand. Your key service transmits your key material over a secure channel that you configure. It’s then encrypted and stored in the cache for immediate encryption and decryption operations.