Storing Encrypted Payloads for Application Tier Encryption

For FLE and other application tier features, encrypted data is stored in the database with its metadata.

The metadata includes:

• A bit that, when set, indicates the field contains ciphertext
• The ID of the customer’s key material used to derive the matching encryption key
• A random or static 128-bit IV

The key material’s ID is used to locate the key value and creation date. These values are stored in a Salesforce object called TenantSecret. When a user accesses or saves encrypted data, the encryption service sends a request to the regional Shield KMS. The regional Shield KMS then uses the customer’s key material and corresponding KDF seed, identified by the key material’s generation or upload date, to derive a DEK. The random IV is used with the encryption key to non-deterministically encrypt the data.