Loading
Feature Disruption - Service Cloud VoiceRead More
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            How Salesforce Shield EKM Works

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            How Salesforce Shield EKM Works

            Shield Platform Encryption, when using External Key Management (EKM), relies on a customer's external Key Management Service (KMS) to manage data encryption keys (DEKs). These DEKs are crucial for both encrypting and decrypting data. When not in use, the DEKs are stored in a "wrapped" (encrypted) state within Shield Platform Encryption's key cache. For any encryption or decryption operation, Shield Platform Encryption sends the wrapped DEK to the customer's external key service, which then unwraps it and securely returns it. This process remains consistent for Data 360 users as well.

            Required Editions

            Available in both Lightning Experience and Salesforce Classic (not available in all orgs).
            Available in: Enterprise, Performance, Unlimited, and Developer Editions. Requires purchasing Salesforce Shield or Shield Platform Encryption, and the External Key Management Service. Data 360 customers must also have the Platform Encryption for Consumption license.
            User Permissions Needed
            To generate, destroy, export, import, upload, and configure tenant secrets and customer-supplied key material: Manage Encryption Keys

            The process of establishing EKM begins with the customer creating a root key in their KMS. A policy is then created, granting the Salesforce regional KMS specific permissions: to request the customer key service to generate and wrap a DEK using the root key, and to unwrap the DEK using the root key. This policy enables the creation of an EKM DEK in Salesforce Setup. Subsequently, Shield Platform Encryption requests the customer KMS to generate a DEK, which is then wrapped by the customer KMS and securely sent to Shield Platform Encryption. This wrapped DEK is the only copy that exists and is stored in the TenantSecret database.

            When an encryption operation requires an EKM DEK, Shield Platform Encryption checks its encrypted key cache. If the unwrapped DEK is not present, Shield Platform Encryption requests the key service to unwrap it, which then securely sends it back. The unwrapped key is then added to the encrypted key cache for immediate use. For subsequent operations, if the unwrapped DEK is already in the cache, it's used directly for encryption and decryption. The Shield KMS includes enhanced cache controls that encrypt fetched key material with an org-specific AES 256-bit cache encryption key, ensuring secure storage. This cache encryption key is protected by HSM-protected keys and is rotated during key lifecycle events.

            Note
            Note On average, the cache is flushed about every 72 hours. Some internal operations flush the cache every 24 hours.
             
            Loading
            Salesforce Help | Article