Print this page

Enable Bring Your Own Encryption Keys (Pilot)

Knowledge Article Number 000233728
Description The "Enable Bring Your Own Encryption Keys Pilot" program includes a number of capabilities. We'll outline what those are, and what you should do if you'd like to take part in this pilot program. 


Small Alert Icon Contact your Salesforce account executive, for more information about this pilot. To be suitable for this pilot you must have an active/ courtesy/ DE Platform Encryption or Salesforce Shield licenses active on the organization.

Bring Your Own Encryption Keys capabilities

1. Create key material (in this case the Tenant Secret used by Platform Encryption to derive the org specific data encryption key) outside of Salesforce using customer's own crypto libraries, enterprise key management system, or hardware security module.
2. Create a certificate signed by a third party certificate authority and then use the public key from that certificate to wrap the Tenant Secret before uploading it to Salesforce. Alternatively, you can create Self-signed certificates.
3. [Optional] Key Brokering: Use a 3rd party key management service to generate Tenant Secrets, wrap those secrets with the public key and upload the wrapped Tenant Secret securely to Salesforce.

If you're having trouble contacting your Account Executive, in order to have Support nominate you for the "Enable Bring Your Own Encryption Keys" pilot program, take the following steps:
1. Verify that the Organization where you want the feature to be enabled is on an edition where the feature is available.
2. Have a System Administrator to log a Case with Salesforce Support
3. Please mark as "feature activation" on the General Application Area

Required information for case description

    Feature requested: Enable Bring Your Own Encryption Keys
    Organization ID where you want the feature to be enabled:
    A statement identifying you as the system admin: I am the system admin in charge of this feature.
    Answers the following questions:
    1. Why are you a good fit for this pilot program?
    2. Who is the main contact for this pilot program? (must be available to provide feedback)
    3. Org Ids where feature should be enabled? (must be a Developer or sandbox org with an active / courtesy / DE Platform Encryption or Salesforce Shield licenses active)
    4. What type of business are you in?
    5. How many employees does your company have?
    6. Do you have specific regulations that include requirements for encrypting data at rest?
    7. Are you evaluating the use of cloud services with internal risk management and info sec requirements to encrypt data at rest?
    8. Do you have sophisticated key management requirements?

Once our Support Team gets the requested information we'll review the case and action as needed.

promote demote