Considerations for Cache-Only Keys
These considerations apply to all data that you encrypt using the Shield Platform Encryption Cache-Only Key Service.
Required Editions
| Available in both Salesforce Classic (not available in all orgs) and Lightning Experience. |
| Available in: Enterprise, Performance, and Unlimited Editions with the Salesforce Shield or Shield Platform Encryption licenses. |
| Available for free in Developer Edition. |
Named Credentials
To use named principals with the Shield Platform Encryption Cache-Only Keys, create a
permission set for external credential principal access, and assign that permission set to
the autoproc user. See Use a Named Principal-Based
Credential for a Cache-Only Key.
Retry Policy
If Salesforce can’t reach your external key service, the callout fails and your active cache-only key’s status is set to Destroyed. This policy prevents excessive loads on both services. The Cache-Only Key Service then periodically retries the callout to help you minimize down time. Retries occur one time per minute for five minutes, then one time every five minutes for 24 hours. If the Cache-Only Key Service can successfully complete a callout during this retry period, your cache-only key’s status is reset to Active.
At any point during a retry period, you can activate your key material through Setup or the API pending remote key service availability. If you reactivate your key material during the retry period, all retry attempts stop.
The RemoteKeyCalloutEvent object captures every callout to your key service. You can subscribe to this event with after insert Apex triggers, and set up real-time alerts that notify you when a callout fails.
401 HTTP Responses
If there’s a 401 HTTP response, Salesforce automatically refreshes any OAuth token associated with your named credential, and retries the request.
CRM Analytics
Backups of CRM Analytics data are encrypted with your Shield Platform Encryption keys. If you encrypt data in CRM Analytics datasets with a cache-only key, make sure that the Analytics cache-only key is in the same state as your Fields and Files (Probabilistic) cache-only key.
Setup Audit Trail
Setup Audit Trail records activated cache-only key versions differently depending on whether a cache-only key with the Active status exists when you reactivate the key.
However, if you reactivate a destroyed key and there’s already another key with the Active status, the Setup Audit Trail shows the reactivated key with an updated version number.
Cache-Only Keys and Key Types
Use a separate cache-only key for each type of data you want to encrypt. You can’t use a cache-only key with multiple key types. For example, you can’t use a cache-only key to encrypt both search indexes and CRM Analytics data.
Service Protections
To protect against Shield KMS interruptions and ensure smooth encryption and decryption processes, you can have up to 10 active and archived cache-only keys of each type.
If you reach your key limit, destroy an existing key so that you can create, upload, reactivate, rearchive, or create a callout to another one. Remember to synchronize your data with an active key before destroying key material.
Hyperforce Migration
When your org moves from a non-Hyperforce platform to Hyperforce, you may need to revisit your AWS KMS IP connection settings. We recommend that Hyperforce customers adopt the best practices listed in the topic Preferred Alternatives to IP Allowlisting on Hyperforce as soon as possible.
