Loading
Feature Disruption - Service Cloud VoiceRead More
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Onboard BYOK

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Onboard BYOK

            Switch from Salesforce-generated keys to Bring Your Own Key (BYOK) for Shield Platform Encryption.

            Required Editions

            Available in both Salesforce Classic (not available in all orgs) and Lightning Experience.
            Available in: Enterprise, Performance, and Unlimited Editions with the Salesforce Shield or Shield Platform Encryption licenses.
            Available for free in Developer Edition.
            Note
            Note If you are using a key server supported by External Key Management (EKM), it may be easier for you to use EKM instead. Read Onboard EKM for details.

            Implementing Salesforce BYOK involves

            • You generate your own key material (either a tenant secret or a data encryption key) outside of Salesforce.
            • You use Salesforce to generate a BYOK-compatible RSA certificate (a public/private key pair).
            • You "wrap" or encrypt your self-generated key material using the public key from the Salesforce-generated certificate. This secures the tenant secret for transfer.
            • You securely upload this wrapped key material to your Salesforce org.
            • Salesforce's Key Management Service (KMS) stores your wrapped key material.

            This process ensures that Salesforce never directly accesses your plaintext key material, and you maintain control over its generation and lifecycle. Salesforce handles the secure application of the derived DEK for data encryption and decryption.

            Prepare to use BYOK

            Setting up BYOK requires creating a random secret, and wrapping it with a new certificate. To prepare for BYOK we recommend these steps.

            Also, we have provided helper scripts (available for MacOs and Linux) that assist you in creating your wrapped key material. The documentation includes full information on how to use them.

            Rotating To and From a BYOK

            You can rotate to a BYOK, and rotate back to a Salesforce tenant secret or to EKM (if the feature supports EKM). To the Shield Platform Encryption process, it's just another secret. The topic Work with Salesforce Key Material describes key rotation concepts, considerations, and limitations.

            See Also

             
            Loading
            Salesforce Help | Article