BYOK Tenant Secret Flow

To supply your own tenant secret, you create the secret, sign it with a BYOK-compatible certificate, and encode it with base64 encoding.

1. Users prepare their tenant secret for upload.
   1. The user generates a BYOK-compatible certificate declaratively or programmatically, where the certificate’s private key is encrypted with an org-specific derived data encryption key. The user issues or creates a self-signed or certificate authority (CA)-signed certificate. The user then downloads this certificate.
   2. The user generates a 256-bit tenant secret by using the method of their choice, encrypts it with the public key from their BYOK-compatible certificate, and then encodes the encrypted tenant secret to base64.
   3. The user calculates an SHA-256 hash of the plaintext tenant secret and then encodes this hash to base64.
   4. The user uploads the encrypted tenant secret and hashed plaintext tenant secret files to Salesforce.
   5. The application server then passes the encrypted tenant secret and hashed plaintext tenant secret files to the regional Shield KMS.
   6. If customers don’t opt out of derivation, the regional Shield KMS creates the BYOK-derived encryption key to unwrap the certificate’s private key.
   7. The customer’s uploaded tenant secret is decrypted by using the BYOK certificate’s private key.
   8. The tenant secret is then hashed by using SHA-256 and compared to the SHA-256 hash provided by the customer.
2. If the hashes match, the regional Shield KMS encrypts the tenant secret with the per-release tenant wrapping key.
3. The regional Shield KMS sends the encrypted tenant secret back to the encryption service running on the Lightning Platform.
4. The encryption service stores the encrypted tenant secret securely in the database. The encrypted tenant secret is used to derive the org’s specific data encryption keys on demand. This encrypted tenant secret can only be decrypted in the regional Shield KMS.