Wrap BYOK Key Material
Generate a random number as your BYOK key material. For FLE only, you also calculate an SHA256 hash of the secret and encrypt it with the public key from the BYOK-compatible certificate you generated.
Required Editions
| Available in both Salesforce Classic (not available in all orgs) and Lightning Experience. |
| Available in: Enterprise, Performance, and Unlimited Editions with the Salesforce Shield or Shield Platform Encryption licenses. |
| Available for free in Developer Edition. |
| User Permissions Needed | |
|---|---|
| Edit, upload, and download HSM-protected certificates with the Shield Platform Encryption Bring Your Own Key service: | Manage Certificates AND Customize Application AND Manage Encryption Keys |
Note You can use a secret as a BYOK key only one time. If you need multiple BYOK keys, you
need to use a unique secret for each one.
-
Generate a 256-bit secret using the method of your choice.
You can generate your secret in one of 2 ways:
- Use a key brokering partner that can generate, secure, and share access to your tenant secret.
- Use your own on-premises resources to generate a secret programmatically, using an
open-source library such as Bouncy Castle or OpenSSL.
Tip We've provided scripts that may help you create wrapped BYOK secrets for all BYOK types. Refer to the sample scripts in this section for details.
-
Wrap your tenant secret with the public key from the 4096-bit BYOK-compatible
certificate you generated, using the SHA512 padding algorithm required for the
feature.
For field-level encryption, specify the OAEP padding scheme. Make sure the resulting encrypted tenant secret and hashed tenant secret files are encoded using base64. For Search Index and Database Encryption, specify the PKCS#11
CKM_RSA_AES_KEY_WRAPscheme.Note Though we recommend the SHA512 padding algorithm, tenant secrets using the OAEP padding scheme can still use the SHA1 padding algorithm. - Encode this encrypted secret to base64.
- Calculate an SHA-256 hash of the plaintext secret.
- Encode the SHA-256 hash of the plaintext secret to base64.
- Sample Script for Generating a BYOK Tenant Secret
We provide a helper script that may be handy for preparing your tenant secret for upload. The script generates a random number as your tenant secret, calculates an SHA256 hash of the secret, and uses the public key from the certificate to encrypt the secret. This script is for creating a BYOK tenant secret only FLE, Files and Attachments, and Event Data. - Sample Script for Generating BYOK Secrets for Search and for Database Encryption
We’ve provided a script to help you upload your BYOK material for Search and for Database Encryption. It creates an uploadable DEK for Search, or an uploadable tennant secret for Database Encryption. The script generates a random number as your secret and uses the public key from the certificate to encrypt the secret. - Sample Script for Generating BYOK Secrets for Data 360
We’ve provided a script to help you upload your BYOK material for Platform Encryption for Data 360. It creates an uploadable root key. The script generates a random number as your secret and uses the public key from the certificate to encrypt the secret.
Did this article solve your issue?
Let us know so we can improve!
