Loading
Feature degradation | Gmail Email delivery failureRead More
Own from Salesforce
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Bring Your Own Key (BYOK) for Recover

            You are here:

            1. Salesforce Help
            2. Docs
            3. Own from Salesforce

            Bring Your Own Key (BYOK) for Recover

            Bring Your Own Key (BYOK) gives you more control over your encryption keys. You can create your own encryption keys to encrypt your cloud data. Your data will be encrypted using these keys, not derivative or composite keys. Encrypted, dedicated data tenancy helps you meet advanced security requirements. Schedule key rotation, or rotate keys on demand. If needed, you can also immediately revoke keys.

            Today’s enterprises bear higher data protection liability and business risk than ever before. Increasingly, stricter and more comprehensive enterprise security policies are required to protect organizational assets and privacy. With that, data encryption procedures must keep pace with fast-moving business strategies and security requirements. For many organizations, maintaining a comprehensive encryption key management system is essential for protecting data in the cloud.

            BYOK allows organizations to meet increased security requirements and to use and keep safe their own data encryption keys.

            BYOK is an extremely powerful ability and can play a critical role within an organization’s data protection strategy. Access to the administration of these additional controls is limited to your organization’s Account Owner.

            BYOK enables additional information-security controls over the encryption keys that are used to encrypt customer data.

            When BYOK is enabled and a master encryption key is set, account data is moved to a dedicated volume/bucket that is encrypted at rest with your customer-provided master encryption key.

            Important
            Important

            Once BYOK is enabled, it can't be disabled.

            You can later archive that key and replace it with another master encryption key. When a new master encryption key is provided, a new dedicated volume/bucket will be created and the data re-encrypted with the new master encryption key. Active master encryption keys can also be revoked, resulting in immediate inaccessibility to the underlying data.

            Own Backup secure data management architecture diagram

            • Set Up and Manage Bring Your Own Key for Recover (AWS)
              Set up, manage, and migrate Bring Your Own Key (BYOK) for enhanced data security in an AWS region.
            • Set Up and Manage Bring Your Own Key for Recover (Azure)
              Set up, manage, and migrate Bring Your Own Key (BYOK) for enhanced data security in an Azure region.
            • Bring Your Own Key Management Service for Recover
              Encrypting the S3 bucket used to store your data using your AWS Key Management Service (KMS) gives you sole access and management capabilities of the key used to encrypt the bucket. BYOKMS enhances Bring Your Own Key (BYOK) activities. Backups are stored in AWS Simple Storage Service (S3) with a separate S3 bucket for each customer.
            • Bring Your Own Key Vault for Backup & Recover
              Install the enterprise application to store your data using your Azure Key Vault. This gives you sole access and management capabilities of the key used to encrypt the storage account where your data is stored. Bring Your Own Key Vault (BYOKV) is an enhancement to Bring Your Own Key (BYOK).
             
            Loading
            Salesforce Help | Article