Keys and Secrets

Glossary

For a high-level explanation of how the most important key components go together, check out Tenant Secrets, Root Keys, DEKs, and More.

Cache Key Encrypting Key

Function

Org-specific key used to encrypt derived and customer-supplied data encryption keys in the encrypted key cache

Type

AES-256 key

How it’s generated

Generated when a data encryption key is generated, rotated, or destroyed

Where it’s stored

Encrypted with the tenant wrapping key and stored in the database

Content Encryption Key (CEK)

Function

Unique key that wraps the data encryption key supplied by a customer’s specified key service

Type

AES-256 key

How it’s generated

Generated by customer

Where it’s stored

As part of the customer-supplied data encryption key, encrypted with the cache encryption key and stored in the encrypted key cache

Data Encryption Key (DEK)

Function

Org-specific key used to encrypt customer data. The key used for encryption and decryption.

Type

AES-256 key

How it’s generated

Generated on the Shield KMS with PBKDF2 for Field-Level Encryption, HKDF for Database Encryption, or generated by the customer

Where it’s stored

Never persisted on disk in any form. Customer supplied or derived on demand DEKs are stored in the encrypted key cache.

Regional HSM Encryption Key Pair

Function

Used to encrypt and decrypt data that can only be accessed on the regional KMS

Type

4096-bit RSA key pair

How it’s generated

Generated upon initialization of the regional HSM

Where it’s stored

Public key is signed by the primary HSM and stored in the Salesforce internal file system. The private key can’t be accessed outside of the regional KMS.

Primary HSM Encryption Key Pair

Function

Used to encrypt and decrypt data that can only be accessed on the primary HSM

Type

4096-bit RSA key pair

How it’s generated

Generated upon initialization of the primary HSM

Where it’s stored

Public key is stored in the Salesforce internal file system. A private key can’t be accessed outside of the primary HSM.

Primary HSM Signing Key Pair

Function

Used to verify the public keys of regional HSMs

Type

4096-bit RSA key pair

How it’s generated

Generated upon initialization of the primary HSM

Where it’s stored

Signing key pairs can’t be accessed outside of the primary HSM

KDF Seed

Function

Also known as primary secret. Used in conjunction with organization tenant secrets to derive data encryption keys

Type

256-bit value

How it’s generated

Generated once each release by the primary HSM

Where it’s stored

Stored in the primary KMS

KDF Salt

Function

Also known as primary salt. Used as input to PBKDF2 to derive data encryption keys

Type

256-bit value

How it’s generated

Generated once each release by the primary HSM

Where it’s stored

Stored in the primary KMS

Primary Wrapping Key

Function

Used to encrypt the KDF seed, KDF salt, tenant wrapping key, and transit wrapping private key before they’re stored in the Salesforce internal file system

Type

AES-256 key

How it’s generated

Generated once each release by the primary HSM

Where it’s stored

Encrypted with each regional HSM’s public encryption key and the primary HSM’s public encryption key and stored in the Salesforce internal file system

Root Key

Function

A special 256-bit key that’s used to wrap and unwrap DEKs for EKM, Search, and BYOK encryption.

Type

256-bit key

How it’s generated

Shield Platform Encryption root keys are generated on the Shield KMS. External root keys are generated by the customer KMS admin on the external KMS.

Where it’s stored

Root keys are stored in a key management server, either a Salesforce KMS or an external KMS

Search Index Root Key

Function

Wrap and unwrap Search Index DEKs

Type

256-bit value

How it’s generated

Generated by the customer when Search encryption is activated

Where it’s stored

Stored in the regional Shield KMS

Search Index Data Encryption Key

Function

Used to encrypt and decrypt the search index segments.

Type

AES-256 key

How it’s generated

Generated on the Shield KMS and wrapped with the customer’s Search encryption root key.

Where it’s stored

Stored in the Search service database, wrapped by the customer’s Search encryption root key Unwrapped on demand and stored in the encrypted key cache.

Tenant Secret

Function

Combined with the KDF seed to derive a unique data encryption key

Type

256-bit value

How it’s generated

Generated on customer demand by the HSM on the regional Shield KMS, or uploaded by the customer

Where it’s stored

Encrypted with the tenant wrapping key, sent from the regional Shield KMS to an application server on the Lightning Platform, and stored in the database

Field-Level Encryption Initialization Vector (IV)

Function

Used as input to PBKDF2 to encrypt field data

Type

128-bit value

How it’s generated

Generated per encrypted field. This static IV is a hash of a field’s entity ID, field ID, and key ID, making it unique to each customer and field per org. Upon key rotation, a new static IV is generated for each field. When data is encrypted deterministically, the application server computes the unique static IV for each field, and then uses the static IV to generate ciphertext.

Where it’s stored

Encrypted with the tenant wrapping key, sent from the regional Shield KMS to an application server on the Lightning Platform, and stored in the database

Tenant Wrapping Key

Function

Used to encrypt tenant secrets before they’re stored in the database

Type

AES-256 key

How it’s generated

Generated once each release by the primary HSM

Where it’s stored

Encrypted with the primary wrapping key and stored in the Salesforce internal file system

Database Tenant Secret

Function

Cryptographic key used to encrypt data stored in the database

Type

AES-256 key

How it’s generated

Generated on demand by the user, or supplied as a Database Encryption BYOK

Where it’s stored

The database tenant secret is cached, not stored, in the Salesforce Key Management Server (KMS) cache

Temporary System Database Tenant Secret

Function

Salesforce managed cryptographic key used to encrypt content stored in the database when a database tenant secret is being backed up

Type

AES-256 key

How it’s generated

Generated whenever a new database tenant secret is created by the user

Where it’s stored

Stored wrapped by the primary wrapping key in the Salesforce Key Management Server (KMS). When the Salesforce database is bootstrapped this key is stored unwrapped within the database.

Database Fragment Salt

Function

Used as input to OpenSSL HKDF derivation function, which derives the Database Encryption DEKs

Type

256-bit value

How it’s generated

Generated for each transactional database fragment, which is the smallest unit of data encrypted under Database Encryption

Where it’s stored

Encrypted with database tenant secret and stored in the fragment