Why Bring Your Own Key?

With Shield Platform Encryption, Salesforce administrators can manage the lifecycle of their data encryption keys (DEKs) while protecting these keys from unauthorized access. By controlling the lifecycle of your organization’s tenant secrets, you control the lifecycle of the data encryption keys derived from them. And for some encryption services you can opt out of key derivation altogether and upload a final data encryption key.

DEKs aren’t stored in Salesforce. Usually they’re derived from the primary secret (also known as the KDF seed) and the tenant secret on demand whenever a key is needed to encrypt or decrypt customer data. The primary secret is generated one time per release for everyone during a High Assurance Virtual Ceremony (HAVC) by using a hardware security module (HSM). The tenant secret or root key is unique to your org, and you control when it’s generated, activated, revoked, or destroyed.

You have four options for setting up your key material.

• Use Shield Platform Encryption to generate your org-specific key material.
• Use the infrastructure of your choice, such as an on-premises HSM, to generate and manage your key material outside of Salesforce. Then upload that tenant secret to the regional Salesforce KMS. This option is known as Bring Your Own Key. If the key material is a tenant secret, you’re providing the tenant secret from which the key is derived. If you are providing a root key, you're providing a key that securely wraps your encryption key.
• Opt out of the Shield Platform Encryption key derivation process completely with the Bring Your Own Key service. Use the infrastructure of your choice to create a DEK instead of a tenant secret. Then upload this DEK to the regional Shield KMS. When you opt out of derivation on a key-by-key basis, the Shield Platform Encryption bypasses the derivation process and uses this key material as your final DEK. You can rotate customer-supplied DEKs just like you can rotate customer-supplied tenant secrets. BYOK is currently available for FLE, Database Encryption, Search Index Encryption, and Platform Encryption for Data 360. In the case of Data 360, BYOK supports root key uploads only. The other features support DEK uploads only.
• You can generate and store your key material outside of Salesforce by using the key service of your choice. Then use either the External Key Management Service or the Salesforce Cache-Only Key Service to fetch your key material on demand. Your key service transmits your key material over a secure channel that you configure. It’s then encrypted and stored in the cache for immediate encryption and decryption operations. Cache-Only Keys is not available for Database Encryption.