Loading
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Upload Your BYOK Key Material

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Upload Your BYOK Key Material

            Shield Platform Encryption supports BYOK for FLE, Event Log Data, Search Index Encryption, and Database Encryption. Because they all support different encryption targets, they need different types of BYOK key material. For FLE, Event Log Data and Database Encryption you upload a tenant secret BYOK. Foc Search Index Encryption you upload a data encryption key (DEK).

            Note
            Note

            You can have up to 50 active and archived tenant secrets of each type. For example, you can have one active and 49 archived Fields and Files (Probabilistic) tenant secrets, and the same number of Analytics tenant secrets. This limit includes Salesforce-generated and customer-supplied key material. Database Encryption is not counted in this limit.

            If you reach the limit, destroy an existing key before reactivating, rearchiving, or creating a callout to another one. Before destroying a key, synchronize the data that it encrypts with an active key.

            Note
            Note This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?

            After you create your BYOK-compatible key material, you wrap it securely and upload it to Salesforce. The processes for wrapping and uploading tenant secrets and DEKs are also slightly different for the different BYOK types.

            • Upload Your BYOK Tenant Secret for FLE, Files, or Event Data
              For FLE, Files and Attachments, or for Event Change Data, you upload a tenant secret to Salesforce. The Shield Key Management Service (KMS) uses your tenant secret to derive your org-specific data encryption key. The tenant secret you upload for one of these features is used only for that feature. For example, the tenant secret for Event Change Data is only used to secure event data.
            • Upload Your BYOK DEK for Search Index Encryption
              For Seach Index Encryption you upload a data ecryption key (DEK) as your BYOK key material. The Shield Key Management Service (KMS) uses your DEK for encrypting and decrypting your data. BYOK DEKs encrypt only search indexes.
            • Upload a BYOK Tenant Secret for Database Encryption
              For Database Encryption, you upload a tenant secret as your BYOK material. The Shield Key Management Service (KMS) uses your tenant secret to derive the keys used for encrypting and decrypting your transactional database data. This tenant secret is only used for Database Encryption.
            • Upload a Root Key for Data 360
              For Data 360, you upload a root key to Salesforce. Data 360 uses the root key for securing the data encryption key that encrypts and decrypts all Data Cloud data stores, including Data 360's own vector-based search. This root key is only used for Data 360.

            See Also

             
            Loading
            Salesforce Help | Article