Components Involved in Deriving Keys

Encryption keys are derived with a combination of hardware security modules (HSMs) and key derivation servers.

Important Where possible, we changed noninclusive terms to align with our company value of Equality. We maintained certain terms to avoid any effect on customer implementations.

Application Servers

Servers in production environments that run Salesforce. When a customer attempts to read or write encrypted data or generate a tenant secret, the application server communicates with a regional KMS to process the request.

External Key Management Service

Service that you use when fully managing your own data encryption keys by using the External Key Management Service or the Cache-Only Key Service.

Primary HSM (nShield® Connect HSM model XC)

A FIPS 140-2 Level 3 hardware-compliant network appliance that generates per-release secrets and secret-wrapping keys and signs the public keys of regional HSMs. The primary HSM is located in the primary KMS. Access to the HSM is controlled through a High Assurance Virtual Ceremony (HAVC).

The primary HSM public signing key is used to sign and verify each regional HSM’s public encryption key. At the start of each release, the primary and regional HSM public encryption keys are used to separately encrypt a per-release primary key wrapping key, which is used to encrypt the remainder of the per-release secrets used to derive data encryption keys.

Salesforce Search Index

Servers in production environments that manage Salesforce searches. When a user attempts to query encrypted data, the search index processes the request.

Shield KMS Server

Shield Platform Encryption uses a single primary KMS and multiple regional KMSs. The primary KMS is the first KMS to receive the per-release secrets. It makes those secrets available to regional KMSs, and it services key material requests like any regional KMS server.