Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            How Key Material Is Stored

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            How Key Material Is Stored

            The critical components of the Security Platform Encryption architecture—the KDF secrets, KDF salt, wrapping keys, and DEKs—are secured using a tiered structure that incorporates wrapped keys, signing, and key derivation.

            Required Editions

            Important
            Important Where possible, we changed noninclusive terms to align with our company value of Equality. We maintained certain terms to avoid any effect on customer implementations.
            Available in both Salesforce Classic (not available in all orgs) and Lightning Experience.
            Available in: Enterprise, Performance, and Unlimited Editions with the Salesforce Shield or Shield Platform Encryption licenses.
            Available for free in Developer Edition.

            These artifacts, essential participants in the architecture, are stored:

            • Securely on disk in the Salesforce Key Management Server (KMS)
            • On the Salesforce application server
            • In your database as wrapped units (such as a public key)
            • In the Data Encryption Key (DEK) cache

            Also, these artifacts can be derived as needed from other wrapped artifacts.

            The Salesforce encryption key management process ensures that at no time is any security artifact stored unprotected. We use various methods to protect each type of security artifact.

            Method Description
            Application Servers Servers in production environments that run Salesforce. When a customer attempts to read or write encrypted data or generate a tenant secret, the application server communicates with a regional KMS to process the request.
            External Key Management Service Service that you use when fully managing your own data encryption keys by using the External Key Management Service or the Cache-Only Key Service.
            Primary HSM (nShield® Connect HSM model XC)

            A FIPS 140-2 Level 3 hardware-compliant network appliance that generates per-release secrets and secret-wrapping keys and signs the public keys of regional HSMs. The primary HSM is located in the primary KMS. Access to the HSM is controlled through a High Assurance Virtual Ceremony (HAVC).

            The primary HSM public signing key is used to sign and verify each regional HSM’s public encryption key. At the start of each release, the primary and regional HSM public encryption keys are used to separately encrypt a per-release primary key wrapping key, which is used to encrypt the remainder of the per-release secrets used to derive data encryption keys.
            Salesforce Search Index Servers in production environments that manage Salesforce searches. When a user attempts to query encrypted data, the search index processes the request.
            Shield KMS Server Shield Platform Encryption uses a single primary KMS and multiple regional KMSs. The primary KMS is the first KMS to receive the per-release secrets. It makes those secrets available to regional KMSs, and it services key material requests like any regional KMS server.
             
            Loading
            Salesforce Help | Article