Salesforce Security Guide
jSummer '25 (API version 64.0)
Spring '25 (API version 63.0)
Winter '25 (API version 62.0)
Summer '24 (API version 61.0)
Spring '24 (API version 60.0)
Winter '24 (API version 59.0)
Summer '23 (API version 58.0)
Spring '23 (API version 57.0)
Winter '23 (API version 56.0)
Summer '22 (API version 55.0)
Spring '22 (API version 54.0)
Winter '22 (API version 53.0)
Summer '21 (API version 52.0)
Spring '21 (API version 51.0)
Winter '21 (API version 50.0)
Summer '20 (API version 49.0)
Spring '20 (API version 48.0)
Winter '20 (API version 47.0)
Summer '19 (API version 46.0)
Spring '19 (API version 45.0)
Winter '19 (API version 44.0)
Summer '18 (API version 43.0)
Spring '18 (API version 42.0)
Winter '18 (API version 41.0)
Summer '17 (API version 40.0)
Spring '17 (API version 39.0)
Winter '17 (API version 38.0)
Summer '16 (API version 37.0)
Spring '16 (API version 36.0)
Winter '16 (API version 35.0)
Summer '15 (API version 34.0)
Spring '15 (API version 33.0)
Winter '15 (API version 32.0)
Spring '14 (API version 30.0)
No Results
Search Tips:
- Please consider misspellings
- Try different search keywords
Platform Encryption Q&A
Configure Your Cache-Only Key Callout Connection
Security Guidelines for Apex and Visualforce Development
API End-of-Life Policy
Work with External Key Material
So you can maintain tighter control over your key material, Salesforce offers you three
options: BYOK (Bring Your Own Key), EKM (External Key Management), and the Cache-Only key service.
-
Bring Your Own Key (BYOK)
When you supply your own tenant secret or data encryption key (DEK), you get the benefits built into to Salesforce Shield Platform Encryption, plus the extra assurance that comes from exclusively managing your own key material. -
External Key Management
Shield External Key Management (EKM) connects your Salesforce implementation to your keys in AWS KMS and uses those keys for encryption operations on Salesforce data. EKM fetches your keys on demand from AWS KMS over a secure channel. EKM stores your key in the key cache and uses your key for immediate encrypt and decrypt operations. Salesforce doesn’t retain or persist your cached EKM keys in any system of record or backups. You can revoke key material at any time. -
Cache-Only Key Service
Shield Platform Encryption’s Cache-Only Key Service addresses a unique need for non-persisted key material. You can store your key material outside of Salesforce in any key repository or service that you control and have the Cache-Only Key Service fetch your key on demand from that key service. Your key service transmits your key over a secure channel that you configure, and the Cache-Only Key Service uses your key for immediate encrypt and decrypt operations. Salesforce doesn’t retain or persist your cache-only keys in any system of record or backups. You can revoke key material at any time. -
Configure Your Cache-Only Key Callout Connection
Use a named credential to specify the endpoint for your callout, and identify the key that you want to fetch from your endpoint.