Work with External Key Material

So you can maintain more complete control over your key material, Salesforce offers you three options: BYOK (Bring Your Own Key), EKM (External Key Management), and the Cache-Only key service.

• Bring Your Own Key (BYOK)
  When you supply your own tenant secret or data encryption key (DEK), you get the benefits built into Salesforce Shield Platform Encryption, plus the extra assurance that comes from exclusively managing your own key material. Depending on the feature, BYOK supports derived keys and DEKs. To be compatible with Salesforce BYOK, use a PKCS#8 encrypted, Base64 encoded 4096 RSA key pair with appropriate headers and footers.
• External Key Management
  Shield External Key Management (EKM) connects your Salesforce implementation to your key material (tenant secret, data encryption key, or root key) in an external KMS and uses that key material for encryption operations on Salesforce data. EKM fetches your keys on demand from the external KMS over a secure channel. EKM is currently available for core encryption services (such as FLE), all Data 360 data, and for Shield Platform Encryption Search Indexes.
• Cache-Only Key Service
  Shield Platform Encryption’s Cache-Only Key Service addresses a unique need for non-persisted key material. You can store your key material outside of Salesforce in any key repository or service that you control and have the Cache-Only Key Service fetch your key on demand from that key service. Your key service transmits your key over a secure channel that you configure, and the Cache-Only Key Service uses your key for immediate encrypt and decrypt operations. Salesforce doesn’t retain or persist your cache-only keys in any system of record or backups. You can revoke key material at any time.
• Configure Your Cache-Only Key Callout Connection
  Use a named credential to specify the endpoint for your callout, and identify the key that you want to fetch from your endpoint.