Loading
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Encrypted Information Flow with Key Derivation

            You are here:

            1. Salesforce Help
            2. Docs
            3. Salesforce Shield Platform Encryption Architecture

            Encrypted Information Flow with Key Derivation

            When attempting to read or write encrypted data, if the DEK isn’t already in the encrypted key cache, the encryption service transmits the request to the regional Shield KMS to retrieve it. For content encrypted at the application tier, such as FLE, the KDF derives a DEK by using the KDF secret, KDF salt, and customer tenant secret. The derived data encryption key is returned to the encryption service.

            Key derivation flow diagram

            The process for deriving the data encryption key during a decryption request includes these steps. (Decryption is nearly identical.)

            1. A user attempts to read encrypted data.
            2. The Lightning Platform queries the data from the storage engine.
            3. Based on metadata stored with the encrypted data, the encryption service retrieves the appropriate encrypted tenant secret from the database.
            4. The encryption service sends an authenticated request for the derived key to the regional Shield KMS. The request includes the encrypted tenant secret.

              Data moving between the regional Shield KMS and the encryption service is encrypted by the TLS protocol, which uses a certificate signed by a dedicated Salesforce authority. This certificate’s private key is stored by the regional Shield KMS and the encryption service in an encrypted form. The certificate’s public and private keys are rotated regularly.

            5. The regional Shield KMS decrypts the tenant secret with the appropriate tenant wrapping key in the encrypted key cache.
            6. The regional Shield KMS derives the requested data encryption key by using the appropriate KDF seed, KDF salt, and tenant secret as inputs for the key derivation function (PBKDF2WithHmacSHA256).
            7. The regional Shield KMS sends the encrypted data encryption key back to the encryption service.
            8. The encryption service decrypts the data encryption key. The data encryption key is encrypted with a cache key encryption key and stored in the encrypted key cache.
            9. Using the data encryption key, the encryption service decrypts the customer data and returns it to the user.

            PBKDF2 Inputs

            Data encryption keys are derived by using PBKDF2 with these values as inputs.

            • PRF—HmacSHA256
            • Password—KDF seed XOR tenant secret
            • Salt—KDF salt
            • c—15,000
            • dkLen—256
             
            Loading
            Salesforce Help | Article