External Key Management (EKM) Option

EKM provides the ability to set up and configure keys within supported public cloud key management services controlled by the customer, for use by Salesforce as permitted by the customer. After the wrapped DEKs are in place, they’re used like any other Shield Platform Encryption DEK. When they’re needed, Shield Platform Encryption sends the wrapped DEK to the external KMS via TLS and requests that it unwrap the DEK. The unwrapped DEK is returned to Shield Platform Encryption via TLS and placed in the encrypted key cache. The DEK is cached for a limited time and never persisted as plain text.

Note Salesforce currently supports Amazon Web Services (AWS) KMS as one of the external KMS options. We plan to expand the supported list of external KMS providers over time.

EKM uses a root key. A root key tracks the key that the customer admin manages on the external KMS. Customers apply Salesforce generated root key policies within the Shield Platform Encryption UI. They then add these policies to their external KMS account. The policies enable Shield Platform Encryption to do two things:

• Request that the root key on the external KMS create a wrapped DEK.
• Request unwrapping of a wrapped DEK by the root key on the external KMS.

Example External AWS KMS Example

A company wants to take advantage of its investment in AWS KMS key management. It creates a root key specially for the purpose of Shield Platform Encryption operations.

In Salesforce, they generate a unique AWS KMS Key Policy to permit the Shield Platform Encryption service to perform the minimum required operations.

• Once their Salesforce admin vets the policy and applies it on the AWS KMS Key that they own, the setup is complete. Salesforce creates the first EKM based DEK, and an active root key appears under the Root Key Inventory of the Key Management Page in Salesforce setup.
• With an active Root key available, the customer can trigger DEK generation. This action requires a Generate DEK request from Salesforce to the External AWS KMS.
• The AWS KMS generates a symmetric AES 256 key and wraps the key by using the root key. The only copy of the generated and wrapped DEK is returned to Salesforce to be persisted securely.
• When the DEK is needed, Salesforce Shield Platform Encryption invokes the Decrypt operation on the external AWS KMS via the Salesforce Regional KMS (the authorized principal). As part of the Decrypt request, Salesforce passes the wrapped DEK, the necessary encryption context, and the AWS KMS Key Reference back to the external AWS KMS. The plaintext DEK is then returned to Salesforce by way of a TLS connection. Finally, the key is passed to the specific internal service that needs the key via mTLS.

• External Key Management Flow
  For EKM, Shield Platform Encryption relies on the customer’s external KMS to generate and secure the DEKs used by the Shield Platform encryption service. These DEKs reside with the Shield Platform encrypted key cache in a wrapped state. When encryption or decryption operations are needed, the appropriate DEK is unwrapped by the external KMS. The customer key service then sends the unwrapped DEK securely back to the Shield Platform encryption service, which stores it in the Salesforce encrypted key cache. Encryption and decryption operations then use the cached DEKs.