Data Encryption Key Derivation

Shield Platform Encryption uses the Shield Key Management Service to derive DEKs for encrypting customer data at rest. DEKs are derived from partial key secrets that are securely wrapped and stored in the Shield KMS. Key derivation ensures that the derived keys are never persisted in their composite forms, and it enables customers to control the key lifecycle.

DEKs are typically derived from three key materials: a cryptographic key from Salesforce called the KDF seed, a cryptographic key from the customer called the tenant secret, and a random value or salt. This layered approach ensures that the customer has a crucial role in the encryption process, particularly through the tenant secret which they can manage and rotate. The text also mentions a different method for DEK creation using a root key hosted in either the regional Shield KMS or an external KMS.

• Key Derivation Architecture
  Secrets and secret-wrapping keys used in the key derivation process are initialized by the HSM in the primary Shield KMS at the start of each release. For customer-provided tenant secrets, they’re initialized on demand in production environments by the HSMs in the regional Shield KMSs.
• Encrypted Information Flow with Key Derivation
  When attempting to read or write encrypted data, if the DEK isn’t already in the encrypted key cache, the encryption service transmits the request to the regional Shield KMS to retrieve it. For content encrypted at the application tier, such as FLE, the KDF derives a DEK by using the KDF secret, KDF salt, and customer tenant secret. The derived data encryption key is returned to the encryption service.