Loading
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Per-Release Secret Generation and Export

            You are here:

            1. Salesforce Help
            2. Docs
            3. Salesforce Shield Platform Encryption Architecture

            Per-Release Secret Generation and Export

            At the start of each release, a Salesforce cryptographic security officer conducts a High Assurance Virtual Ceremony (HAVC) to generate the per-release secrets and keys. Once created, the secrets are sent to the regional Shield KMSs.

            Per-release secret generation
            1. During the HAVC, the primary HSM generates these secrets.
              • KDF seed
              • KDF salt
              • Tenant wrapping key (TWK)
              Each secret is stored on the primary KMS.
            2. A key escrow server receives requests from regional key brokers for the KDF Seed, KDF Salt, and Tenant Wrapping Key.
            3. The regional Shield KSMs generates random byte data through its HSM) and sends it to the key escrow server.
            4. The key escrow server retrieves the secrets from the primary Shield KMS and returns them to the key brokers.
            5. The key brokers install the secrets onto the regional Shield KMSs.

            After all the secrets are in the regional Shield KMSs, they’re used for encryption services to tenant orgs in the region.

            For definitions of each secret and key, refer to the Keys and Secrets section.

             
            Loading
            Salesforce Help | Article