Generate a random number as your tenant secret. Then calculate an SHA256 hash of the secret, and encrypt it with the public key from the certificate you generated.
|Available as add-on subscription in: Enterprise, Performance, and Unlimited Editions. Requires purchasing Salesforce Shield. Available in Developer Edition at no charge for organizations created in Summer ’15 and later.|
|Available in both Salesforce Classic and Lightning Experience.|
|To manage tenant secrets:||“Manage Encryption Keys”|
Generate a 256-bit tenant secret using the method of your choice.
You can generate your tenant secret in one of two ways:
- Use your own on-premise resources to generate a tenant secret programmatically, using an open source library such as Bouncy Castle or OpenSSL.
- Use a key brokering partner that can generate, secure, and share access to your tenant secret.
Wrap your tenant secret with the public key from the BYOK-compatible certificate you generated.
Specify the OAEP padding scheme. Make sure the resulting encrypted tenant secret and hashed tenant secret files are encoded using base64.
Encode this encrypted tenant secret to base64.
Calculate an SHA-256 hash of the plaintext tenant secret.
Encode the SHA-256 hash of the plaintext tenant secret to base64.