Loading
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Sample Script for Generating a BYOK Tenant Secret

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Sample Script for Generating a BYOK Tenant Secret

            We provide a helper script that may be handy for preparing your tenant secret for upload. The script generates a random number as your tenant secret, calculates an SHA256 hash of the secret, and uses the public key from the certificate to encrypt the secret. This script is for creating a BYOK tenant secret only FLE, Files and Attachments, and Event Data.

            Required Editions

            Available in both Salesforce Classic (not available in all orgs) and Lightning Experience.
            Available in: Enterprise, Performance, and Unlimited Editions with the Salesforce Shield or Shield Platform Encryption licenses.
            Available for free in Developer Edition.
            Note
            Note You can use a tenant secret or DEK as a BYOK key only one time. If you need multiple BYOK keys, you must use a unique tenant secret or DEK for each one. Also, this script is different from the one you use for creating BYOK material for Search and for Database Encryption. Refer to "Sample Script for Generating a BYOK Secret for Search and Database Encryption" if you need to create one of those instead.

            You will need to create a BYOK-compatible certificate before you can use this script.

            Generate a BYOK Tenant Secret for FLE, Files and Attachments, or Event Bus Data

            This script creates the two files required to create a valid BYOK tenant secret. The script generates a random number as your secret, calculates an SHA256 hash of the secret, and then encrypts the secret with your certificate’s public key. The script is valid for both Linux and MacOs.

            1. Copy the following script. Save it in the same directory as the BYOK-compatible certificate that you downloaded earlier.
              • Linux secretgen.sh script
                #!/bin/bash
              
#Set the local to C (POSIX)
#required to prevent illegal byte sequence in tr
export LC_ALL=C 

PLAINTEXT_SECRET_HASH_B64="plaintext_secret_hash.b64"
ENCRYPTED_SECRET_B64="encrypted_secret.b64"
PLAINTEXT_SECRET="plaintext_secret.bin"
PUBLIC_KEY_PEM="public_key.pem"

# Determine the correct path to the OpenSSL binary
if [[ "$(uname -s)" == "Darwin" ]]; then
# macOS (Homebrew)
# set to your path to OpenSSL 3.41 or newer
OPENSSL="openssl"
else
# Linux (assuming OpenSSL is in the PATH)
OPENSSL="openssl"
fi

usage() {
echo 'Generates a random 256-bit value, hashes it, and encrypts it using a given certificate.'
echo ''
echo 'Usage: secretgen downloaded.crt'
exit 1
}

if [ -z "$1" ]; then
usage
fi

# Generate a random value to use as the secret
# Use 'tr' for macOS compatibility
# [:cntrl:] is POSIX for control characters
head -c 32 /dev/urandom | tr '[:cntrl:]' '=' > "$PLAINTEXT_SECRET"

# Hash the plaintext secret and encode it with base64
$OPENSSL dgst -sha256 -binary "$PLAINTEXT_SECRET" | $OPENSSL base64 -out "$PLAINTEXT_SECRET_HASH_B64"

# Extract the public key from the downloaded .crt file
$OPENSSL x509 -pubkey -noout -in "$1" > "$PUBLIC_KEY_PEM"

# Encrypt the secret using the public key and encode it with base64
#$OPENSSL rsautl -oaep -encrypt -pubin -inkey "$PUBLIC_KEY_PEM" -in "$PLAINTEXT_SECRET" | $OPENSSL base64 -out "$ENCRYPTED_SECRET_B64"
# for openssl 3.4.1
$OPENSSL pkeyutl -encrypt -pubin -inkey "$PUBLIC_KEY_PEM" -in "$PLAINTEXT_SECRET" -pkeyopt rsa_padding_mode:oaep | $OPENSSL base64 -out "$ENCRYPTED_SECRET_B64"

# Uncomment to clean up files that are no longer needed
# rm "$PUBLIC_KEY_PEM"
# rm "$PLAINTEXT_SECRET"

echo 'Generated files: '$ENCRYPTED_SECRET_B64' and '$PLAINTEXT_SECRET_HASH_B64'.'
echo 'Both of these should be uploaded to Salesforce.'
            2. Make secretgen.sh executable. For example chmod 775 secretgen.sh grants you write and execute permission for the file.
            3. Run the script specifying the certificate name, like this: ./secretgen.sh <your certificate file name>
              Replace <your certificate file name> with the actual file name of the certificate you downloaded.
            4. The script generates several files. Look for the two files that end with the .b64 suffix.
              The file encrypted_secret.b64 is your base 64-encoded encrypted tenant secret, and the file plaintext_secret_hash.b64 is your base 64-encoded hash of the plaintext tenant secret. You upload both of these files on the Bring Your Own Key page.
             
            Loading
            Salesforce Help | Article