Sample Script for Generating BYOK Secrets for Search and for Database Encryption
We’ve provided a script to help you upload your BYOK material for Search and for Database Encryption. It creates an uploadable DEK for Search, or an uploadable tennant secret for Database Encryption. The script generates a random number as your secret and uses the public key from the certificate to encrypt the secret.
Required Editions
| Available in both Salesforce Classic (not available in all orgs) and Lightning Experience. |
| Available in: Enterprise, Performance, and Unlimited Editions with the Salesforce Shield or Shield Platform Encryption licenses. |
| Available for free in Developer Edition. |
You will need to create a BYOK-compatible certificate and generate a session token before you can use this script. For Database Encryption and Search Index Encryption, you only need a self-signed certificate.
The script creates a single file named payload.bin that is ready to upload for use as a BYOK for Search Index or Database Encryption. It is wrapped and encoded as per the requirements for BYOK key material of this type. It creates a DEK for Search Index encryption, and a tenant secret for Database Encryption.
- Create a file containing the script and save it in the same directory as the certificate and session token file you downloaded earlier.
-
Make sure the script is executable with
chmod 775.By default, the temporary files are not deleted. Uncomment the final line of the script to have them deleted automatically. -
Run the script specifying the certificate name and session token file. For example, if
you named your script
2025_search_secretgen.sh, and your certificate file is named2025_search.crtthen you would run the following: ./2025_search_secretgen.sh 2025_search.crt. -
The script generates one file named payload.bin.
Upload payload.bin and the session token file for your self-signed certificate that you created earlier.
2025_search_secretgen.sh file contents. You can run this script on Linux or
MacOs systems.
This script generates a secure key for Salesforce Shield Platform Encryption using a process called Bring Your Own Key (BYOK). It starts by extracting a public key from a Salesforce certificate. Then, it creates two random AES keys: one temporary key and one "customer" key. The temporary key is encrypted using the public key and a strong encryption scheme (RSA-OAEP with SHA-512). This encrypted temporary key is then used to wrap the customer key using another encryption scheme (AES Key Wrap with Padding). Finally, the script combines the encrypted temporary key and the wrapped customer key into a single payload and encodes it in base64 format. This payload can then be uploaded to Salesforce to securely encrypt sensitive data.
#!/bin/bash
set -euo pipefail
CERT_IN="$1"
OPENSSL="openssl"
# Extract public key from X.509 certificate
$OPENSSL x509 -in "$CERT_IN" -pubkey -noout > byok_public_key.pem
# Generate a random temporary AES key (256 bits)
$OPENSSL rand -out temp_aes_key.bin 32
# Encrypt the temp AES key using RSA-OAEP with SHA-512
$OPENSSL pkeyutl -encrypt \
-pubin \
-inkey byok_public_key.pem \
-in temp_aes_key.bin \
-out temp_key_wrapped.bin \
-pkeyopt rsa_padding_mode:oaep \
-pkeyopt rsa_oaep_md:sha512 \
-pkeyopt rsa_mgf1_md:sha512
# Generate the actual target AES key to be wrapped
$OPENSSL rand -out target_aes_key.bin 32
# Convert temp AES key to hex format for the -K parameter
KEY_HEX=$(hexdump -v -e '/1 "%02x"' < temp_aes_key.bin)
# AES Key Wrap with Padding using OpenSSL 3.x
$OPENSSL enc -id-aes256-wrap-pad \
-iv A65959A6 \
-K "$KEY_HEX" \
-in target_aes_key.bin \
-out target_key_wrapped.bin
# Combine both parts into final payload
cat temp_key_wrapped.bin target_key_wrapped.bin > payload.bin
# Cleanup
rm "$CERT_IN" byok_public_key.pem temp_aes_key.bin target_aes_key.bin temp_key_wrapped.bin target_key_wrapped.bin