Cache-Only Keys Option

Customers can create and store a DEK outside of Salesforce and use Cache-Only Keys to apply that DEK to data in Salesforce. Customers can use an on-premises key service, host their own cloud-based key service, or use a cloud-based key brokering vendor. Root keys and named principals are supported. DEKs are fetched on demand over a secure channel that the customer configures. Salesforce-generated DEKs are wrapped with a cache key encryption key and placed directly in the encrypted key cache for encrypt and decrypt operations. DEKs generated by an external KMS are wrapped by the generating root key, and they’re unwrapped by that same root key when needed.

Because cache-only keys bypass the key derivation process, they’re used to directly encrypt and decrypt your data. Subsequent encryption and decryption requests go through the encrypted key cache until the cache-only key is revoked or rotated, or the cache is flushed. After the cache is flushed, cache-only keys fetches key material from your specified key service. The cache is regularly flushed every 72 hours.

Certain Salesforce operations flush the cache on average every 24 hours. Destroying a data encryption key invalidates the corresponding data encryption key that’s stored in the cache.

• Cache-Only Key Flow
  With Field-Level Encryption (FLE), you can insert a final data encryption key into the encrypted key cache. You supply a cache-only key as an encrypted JWE JSON file, wrapped with your content encryption key.