Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Sample Script for Generating BYOK Secrets for Data 360

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Sample Script for Generating BYOK Secrets for Data 360

            We’ve provided a script to help you upload your BYOK material for Platform Encryption for Data 360. It creates an uploadable root key. The script generates a random number as your secret and uses the public key from the certificate to encrypt the secret.

            Required Editions

            Available in both Salesforce Classic (not available in all orgs) and Lightning Experience.
            Available in: Enterprise, Performance, and Unlimited Editions with the Salesforce Shield or Shield Platform Encryption licenses.
            Available for free in Developer Edition.
            Note
            Note This script is different from the ones you use for creating BYOK material for FLE, Search Index Encryption or Database Encryption. Refer to the other pages in this section if you need to create one of those other BYOK types instead.

            You will need to create a BYOK-compatible certificate and generate an import token before you can use this script. For Platform Encryption for Data Cloud, you only need a self-signed certificate. After the key material is uploaded, the certificate is automatically deleted.

            The script creates a single file named EncryptedKeyMaterial.bin that is ready to upload for use as a BYOK for Platform Encryption for Data 360. It is wrapped and encoded as per the requirements for BYOK key material of this type.

            1. Create a file containing the script and save it in the same directory as the certificate and session token file you downloaded earlier.
            2. Make sure the script is executable with chmod 775.
              By default, the temporary files are not deleted. Uncomment the final line of the script to have them deleted automatically.
            3. Run the script specifying the certificate name and session token file. For example, if you named your script 2025_dc_rootkeygen.sh, and your certificate file is named 2025_dc_byok.crt then you would run the following: ./2025_dc_rootkeygen.sh 2025_dc_byok.crt.
            4. The script generates one file named EncryptedKeyMaterial.bin.
              Upload EncryptedKeyMaterial.bin and the import token file for your self-signed certificate that you created earlier.
            Example
            Example

            2025_dc_rootkeygen.sh file contents. You can run this script on Linux or MacOs systems.

            This script generates a secure root key for Platform Encryption for Data 360 for use with Bring Your Own Key (BYOK). You provide the two files you generated on the BYOK page (the import token and certificate). The process is

            • Check that a certificate name is passed in and that it is retrievable. Exit on failure.
            • Extract the public key from the certificate. Exit on failure.
            • Create the actual key material (in this script we use a 32-bit random number) as a file named PlainTextKeyMaterial.bin.
            • Use openssl to wrap (encrypt) the PlainTextKeyMaterial.bin file with the certificate public key using the RSAES_OAEP_SHA_256 and RSA_4096 wrapping protocols. This produces the EncryptedKeyMaterial.bin file.
            • Optionally delete the interim plaintext files and the PublicKey.b64 input file.

            The EncryptedKeyMaterial.bin file can then be uploaded (along with the original import token) to Salesforce to complete the BYOK for Data 360 setup.

            #!/bin/bash
## BYOK for Data Cloud Sample script to generate and prepare a DC root key for uploading.
## Pass in as parameter: Certificate file (.crt) downloaded from
##  Generate Certificate page. (Referred in this script as certificate.crt or CERT_FILE)

## Validate input parameter
if [ -z "$1" ]; then
    echo "Error: Please provide a certificate file as parameter."
    echo "Usage: ./2025_dc_rootkeygen.sh certificate.crt."
    exit 1
fi

if [ ! -f "$1" ]; then
    echo "Error: File '$1' not found."
    exit 1
fi

CERT_FILE="$1"
PUBLIC_KEY_FILE="public_key.pem"

## Step 1: Extract public key from certificate
echo "Extracting public key from certificate..."
openssl x509 -in "$CERT_FILE" -pubkey -noout > "$PUBLIC_KEY_FILE"

if [ $? -ne 0 ]; then
    echo "Error: Failed to extract public key from certificate."
    exit 1
fi

echo "Public key extracted to $PUBLIC_KEY_FILE."

## 3.0 Generate Key material as PlaintextKeyMaterial.bin
openssl rand -out PlaintextKeyMaterial.bin 32

## 3.1 wrap key material
# Note: we are using RSAES_OAEP_SHA_256 and RSA_4096 for wrapping
# Using PEM format public key directly
openssl pkeyutl \
    -encrypt \
    -in PlaintextKeyMaterial.bin \
    -out EncryptedKeyMaterial.bin \
    -inkey "$PUBLIC_KEY_FILE" \
    -keyform PEM \
    -pubin \
    -pkeyopt rsa_padding_mode:oaep \
    -pkeyopt rsa_oaep_md:sha256 \
    -pkeyopt rsa_mgf1_md:sha256

echo "=== Output file:"
echo "    EncryptedKeyMaterial.bin created." 

## Optional cleanup. Remove the # from the next two lines if you want to delete the files automatically
# rm PlaintextKeyMaterial.bin
# rm "$PUBLIC_KEY_FILE"
             
            Loading
            Salesforce Help | Article