Key Generation and Management Architecture

We use traceable and secure methods for creating key material. This section explores the architecture behind Salesforce's key generation and management, emphasizing the security of encryption keys. It details how Salesforce uses highly secure and traceable processes, including a Hardware Security Module (HSM) and a Key Escrow Server, to generate and manage cryptographic key material.

The content also explains how Data Encryption Keys (DEKs) are derived from securely wrapped and stored secrets, ensuring they are never persisted in a composite form. Furthermore, it introduces the concept of root key wrapping, a method used by some features to enable customer-controlled key generation and wrapping. Finally, it highlights the flexibility offered to customers, allowing them to manage their own keys through options like frequent key rotation.

• Secure Secret Material Generation via HSM and Primary Keys
  Your data may be encrypted, but unless your encryption keys are generated and stored securely, your data is still vulnerable. Salesforce uses a highly secure and traceable process for generating its primary keys and your tenant secrets. New primary keys are generated regularly, and all key material is securely stored in key management servers.
• Data Encryption Key Derivation
  Shield Platform Encryption uses the Shield Key Management Service to derive DEKs for encrypting customer data at rest. DEKs are derived from partial key secrets that are securely wrapped and stored in the Shield KMS. Key derivation ensures that the derived keys are never persisted in their composite forms, and it enables customers to control the key lifecycle.
• Root Key Wrapping
  Some of the Shield Platform Encryption features, like Search Index Encryption, make use of a customer controlled root key for DEK wrapping.