Salesforce CLI Setup Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
Before You Begin
Release Notes
Move from sfdx (v7) to sf (v2)
Install Salesforce CLI
Update Salesforce CLI
Salesforce CLI Configuration and Tips
Autocomplete Salesforce CLI Commands and Flags
Use Salesforce CLI from Behind a Company Firewall or Web Proxy
Windows Performance Suggestions
Configuration Variables
Salesforce CLI Environment Variables
How API Version and Source API Version Work in Salesforce CLI
CLI Parameter Resolution Order
Support for JSON Responses
Specify Topics and Commands in Any Order
Customize the Colors in Help Output
Specify Flag Values in Files
Log Messages and Log Levels
Enable 256-Bit Encryption of Authorization Files
Disable Salesforce CLI Data Collection and Metrics
Uninstall Salesforce CLI or Plugins
Run Salesforce CLI Using a Docker Image
Salesforce CLI Plugins
Troubleshoot Salesforce CLI
CLI Deprecation Policy
Next Steps
PDF

Enable 256-Bit Encryption of Authorization Files

Salesforce CLI uses 128-bit encryption to encrypt its internal files, such as the authorization (auth) files associated with the orgs you’ve logged into. For increased security, you can enable 256-bit encryption.

For simplicity in this document, we call 128-bit encryption v1 crypto and 256-bit encryption v2 crypto.

Tip

Prerequisites

You must complete all these steps before you enable v2 crypto. If you don’t, your Salesforce CLI installation can be a mix of v1 crypto and v2 crypto, which can result in errors.
  1. Gather the usernames and passwords for all your existing authorized orgs, including for any scratch orgs that you want to continue using after enabling v2 crypto.
    Part of enabling v2 crypto includes reauthorizing all your existing authorized orgs.
  2. Update to the latest version of Salesforce CLI; if you use Salesforce Extensions for VS Code, be sure to update to its latest version too.
    For Salesforce CLI, read the update documentation. For Salesforce Extensions for VS Code, see the installation documentation.
  3. Ensure that all 3rd-party plugins installed on your system are ready for v2 crypto.
    1. Open a terminal (macOS and Linux) or PowerShell command-line shell (Windows).
    2. Run the doctor command. 
      sf doctor
    3. In the output, make sure that the [@salesforce/plugin-auth] CLI supports v2 crypto test is passing, as shown in this sample output: 
      pass - [@salesforce/plugin-auth] CLI supports v2 crypto
      If the test fails, at least one plugin in your Salesforce CLI installation is using an outdated version of the @salesforce/core library. The v2 crypto supports only plugins that use version 6.7.0 or later of @salesforce/core. All the core plugins that ship with the latest Salesforce CLI version use the supported version of @salesforce/core, so the problem is likely with one of your user-installed plugins. Work with your plugin provider to request updates.

Enable 256-Bit Encryption (v2 Crypto)

To update your Salesforce CLI installation to use v2 crypto, complete these steps.
  1. Did you complete all the prerequisites? They’re important, so be sure you finish all the steps.
  2. Make a backup copy of up the sfdx key in your key store.
    • On Windows, your key store is a file called key.json. The file is usually in the .sfdx directory in your home directory, such as C:\\Users\<username>\.sfdx.
    • On macOS or Linux:
      • If the SF_USE_GENERIC_UNIX_KEYCHAIN environment variable is set, your key is in the file key.json. This file is usually in the .sfdx directory in your home directory, such as /Users/<username>/.sfdx.
      • Otherwise, on macOS, your key store is most likely in the Keychain Access app. On Linux, the key store depends on the specific flavor of Linux you’re using; refer to your documentation.
  3. Rename the Salesforce CLI .sfdx directory.
    For example, open a terminal (macOS and Linux) and run this command.
    mv ~/.sfdx ~/.sfdx-bak
  4. Set the SF_CRYPTO_V2 environment variable to true. 
    export SF_CRYPTO_V2=true
  5. Log in to one of your orgs using one of the org login commands.
    For example, run the org login web CLI command from a terminal or command prompt, and log in to your org using the browser that opens.
  6. After successfully logging into your org, confirm that you’re using the new improved encryption (v2 crypto).
    • If you’re using key.json as your key store:
      • Run sf doctor.
      • Ensure that the output includes the message CLI using stable v2 crypto.
    • If you’re not using key.json as your key store:
      • Locate the sfdx key in your key store application.
      • Confirm that the key is 64 characters long.
  7. Unset the SF_CRYPTO_V2 environment variable because you no longer need it. 
    unset SF_CRYPTO_V2
  8. Log in to the rest of your orgs.
Your Salesforce CLI installation now uses 256-bit encryption for its internal files.

Go Back to 128-Bit Encryption (v1 Crypto)

After you enable v2 crypto, there’s nothing more for you to do; auth files automatically start using 256-bit encryption. However, if you must revert to using v1 crypto due to unforeseen circumstances, follow these steps.
  1. If you haven’t already, unset the SF_CRYPTO_V2 environment variable. 
    unset SF_CRYPTO_V2
  2. Move the renamed .sfdx-bak directory back to its original name (.sfdx).
    For example, on macOS or Linux: 
    mv ~/.sfdx-bak ~/.sfdx
  3. If you’re not using key.json as your key store, use the backup copy of the sfdx key and set it back to its original value in your password manager, such as the Keychain Access app on macOS.
    If you’re using key.json as your key store, you don’t have to do anything because the original value has been restored as part of the previous step.
  4. All your original org authentications are now restored. To check that they’re working correctly, run the org open command on one of your orgs; if the browser automatically opens to the org’s UI correctly, then the recovery was successful. If the browser doesn’t open to your org, manually log into it again.