Loading
Ongoing maintenance for Salesforce HelpRead More
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Behind the Scenes: The Shield Platform Encryption Process for Tenant Secrets

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Behind the Scenes: The Shield Platform Encryption Process for Tenant Secrets

            With field-level encryption, when users submit data, the application server looks for the org-specific data encryption key (DEK) in its cache. If it isn’t there, the application server gets the encrypted tenant secret from the database and asks the regional key management server (KMS) to derive the key. The Shield Platform Encryption service then encrypts the data on the application server. If you opt out of key derivation or use either the External Key Management Service or the Cache-Only Key Service, the encryption service applies your customer-supplied data encryption key directly to your data.

            Required Editions

            Available in both Salesforce Classic (not available in all orgs) and Lightning Experience.
            Available in: Enterprise, Performance, and Unlimited Editions with the Salesforce Shield or Shield Platform Encryption licenses.
            Available for free in Developer Edition.

            Salesforce securely generates the primary and tenant secrets by using hardware security modules (HSMs). The unique key is derived by using PBKDF2, a key derivation function (KDF), with the primary and tenant secrets as inputs.

            The Shield Platform Encryption process is as follows:

            • When a Salesforce user saves encrypted data, the runtime engine determines from metadata whether to encrypt the field, file, or attachment before storing it in the database.
            • If so, the encryption service checks for the matching data encryption key in cached memory.
            • The encryption service determines whether the key exists.
              • If so, the encryption service retrieves the key.
              • If not, the service sends a derivation request to the regional KMS and returns it to the encryption service running on the Salesforce Platform.
            • After retrieving or deriving the key, the encryption service generates a random initialization vector (IV) and encrypts the data by using 256-bit AES encryption.
            • The ciphertext is saved in the database or file storage. The IV and corresponding ID of the tenant secret used to derive the data encryption key are saved in the database. Salesforce generates a new primary secret at the start of each release.
             
            Loading
            Salesforce Help | Article