Shield Platform Encryption Terminology
Encryption has its own specialized vocabulary. To get the most out of your Shield Platform Encryption features, it’s a good idea to familiarize yourself with key terminology.
Required Editions
Important Where possible, we changed noninclusive terms to align with our
company value of Equality. We maintained certain terms to avoid any effect on customer
implementations.
| Available in both Salesforce Classic (not available in all orgs) and Lightning Experience. |
| Available in: Enterprise, Performance, and Unlimited Editions with the Salesforce Shield or Shield Platform Encryption licenses. |
| Available for free in Developer Edition. |
Note This content relates to Shield
Platform Encryption. Read about implementing field-level encryption using Shield Extension
in Own from Salesforce.
| Term | Definition |
|---|---|
| Cache Key Encrypting Key (Cache KEK) | Data encryption keys temporarily reside in the encrypted key cache for deriving final data encryption keys. The cache KEK encrypts these components while they're in the cache. |
| Data Encryption | The process of applying a cryptographic function to data that results in ciphertext. The Shield Platform Encryption process uses symmetric key encryption, a 256-bit Advanced Encryption Standard (AES) algorithm that uses cipher block chaining (CBC) mode, and a randomized 128-bit initialization vector (IV) to encrypt data stored on the Salesforce Platform. Data encryption and decryption occur on the application servers. |
| Data Encryption Key (DEK) | Shield Platform Encryption uses DEKs to encrypt and decrypt data. DEKs are derived on the key management servers (KMS). They use key material split between a per-release primary secret and an org-specific tenant secret stored encrypted in the database. The 256-bit derived keys use a key derivation function (KDF) and exist in memory until evicted from the cache. DEKs are sometimes also provided using the External Key Management service by an external key service that you control. |
| Encrypted Data at Rest | Data that's encrypted when persisted on disk. Salesforce supports encryption for fields stored in the database; documents stored in files, content, libraries, and attachments; search index files; CRM Analytics datasets; and archived data. |
| Encryption Key Management | All aspects of key management, such as key generation, processes, and storage. Administrators or users who have the Manage Encryption Keys permission can work with Shield Platform Encryption key material. |
| Hardware Security Module (HSM) | A secure network appliance that provides cryptography processing and key management for authentication. Shield Platform Encryption uses HSMs to generate and store primary and per-release secret material. HSMs also run the key derivation function that derives DEKs used by the encryption service to encrypt and decrypt data. Salesforce uses FIPS 140-2 Level 3 certified HSM devices. HSMs reside within the primary and regional key management servers (KMSs). |
| High Assurance Virtual Ceremony (HAVC) | A secure meeting among Salesforce Cryptographic officers. During the HAVC, the cryptographic officers convene in secure facilities to generate the per-release secrets material by using the primary HSM. The per-release secrets are then stored within the primary KMS. |
| Initialization Vector (IV) | Also known as search index. A random sequence used with a key to encrypt data. Shield Platform Encryption IVs are generally 128 bits (16 bytes) in size. |
| Key Derivation | The process of creating highly secure encryption keys from highly secure key material components. Keys used for encrypting, signing, and decrypting your data, known as the Data Encryption Keys, are derived by using up to 3 cryptographic components: KDF seed, tenant secret, and initialization vector. These components are stored in separate secure locations. A derived key is never stored on disk, which increases its security. |
| Key Derivation Function (KDF) | The cryptographic algorithm that Shield Platform Encryption uses to generate DEKs. KDFs take as input one or more secrets and a random IV to derive DEKs. Shield Platform Encryption uses Password-based Key Derivation Function 2 (PBKDF2) with HMAC-SHA-256. |
| Key Rotation | The process of generating a new tenant secret and archiving the previously active one. Active tenant secrets are used for encryption and decryption. Archived ones are used only for decryption until all data has been re-encrypted by using the new, active tenant secret. |
| Key Wrapping Key (KWK) | A derived symmetric key used to encrypt other keys for secure storage and transport. A primary KWK is used to encrypt the KDF seed, KDF salt, tenant wrapping key, and transit wrapping private key for Transaction Layer Security (TLS) before they're stored in the regional KMS. |
| Primary HSM | The HSM that resides in the primary key management server (KMS). It generates secure, random secrets for each Salesforce release. The primary HSM is under a strict access protocol and is available to create secrets only through the coordinated actions of multiple trusted cryptographic officers. |
| Primary Initialization Vector (KDF Salt) | Initialization vector created each release by the primary HSM. It's used in conjunction with organization tenant secrets to derive data encryption keys. |
| Primary Secret (KDF Seed) | Formerly master secret. Used with the tenant secret and key derivation function to generate a derived data encryption key. (Customers can opt out of key derivation.) The primary secret is rotated each release by using an HSM. No Salesforce employees have access to these keys in cleartext. |
| Root Key | A key used by Salesforce to secure and control data encryption keys. Root keys can be generated and managed in Salesforce or outside of Salesforce via an external key management service. Depending on the feature and service, data encryption keys controlled by root keys can be customer managed or managed on behalf of the customer by the Shield KMS. |
| Tenant Secret | An organization-specific secret used in conjunction with the primary secret and key derivation function (KDF) to generate a derived data encryption key (DEK). No Salesforce employees have access to these keys in cleartext. |
See Also
Did this article solve your issue?
Let us know so we can improve!
