Loading
Feature Disruption - Service Cloud VoiceRead More
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Cache-Only Key Service

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Cache-Only Key Service

            Shield Platform Encryption’s Cache-Only Key Service addresses a unique need for non-persisted key material. You can store your key material outside of Salesforce in any key repository or service that you control and have the Cache-Only Key Service fetch your key on demand from that key service. Your key service transmits your key over a secure channel that you configure, and the Cache-Only Key Service uses your key for immediate encrypt and decrypt operations. Salesforce doesn’t retain or persist your cache-only keys in any system of record or backups. You can revoke key material at any time.

            Required Editions

            Available in both Salesforce Classic (not available in all orgs) and Lightning Experience.
            Available in: Enterprise, Performance, Unlimited, and Developer Editions. Requires purchasing Salesforce Shield or Shield Platform Encryption, and the External Key Management Service.
            Note
            Note Both BYOK and the Cache-Only Key service give you full control over which key service you use for your external keys. EKM supports only AWS KMS.
            • How Cache-Only Keys Works
              The Shield Platform Encryption Cache-Only Key Service provides access to various key services to generate, secure, and store your key material. Because a cache-only key bypasses the key derivation process, it’s used to directly encrypt and decrypt your data. You can use an on-premises key service, host your own cloud-based key service, or use a cloud-based key brokering vendor. Services that incorporate named principals for credentials are recommended, although key services that use legacy named credentials without named principals are supported.
            • Prerequisites and Terminology for Cache-Only Keys
              Shield Platform Encryption’s Cache-Only Key Service offers you more control over your key material. When you use cache-only keys, you control more of the key-management tasks. Before you start using the service, review how to create and host your key material in a way that’s compatible with Salesforce’s BYOK service. Also review several important terms relevant to the Cache-Only Key Service
            • Optimize Security Using Named Credentials and Cache-Only Keys
              You can use an externally managed key as your cache-only key. External credentials create a secure connection between Salesforce and your external-key repository. For optimal security, set up an external credential that uses a named principal to authenticate into your external service on behalf of all users authorized to manage key material. Salesforce recommends you use this method instead of a legacy named credential if you use an external key management service along with cache-only keys.
            • Create and Assemble Your Key Material
              The Shield Platform Encryption Cache-Only Key Service is compatible with 256-bit AES keys returned in a JSON response, and then wrapped using JSON Web Encryption (JWE).
            • Add Replay Detection for Cache-Only Keys
              Replay detection protects your cache-only keys if a callout is fraudulently intercepted. When enabled, replay detection inserts an autogenerated, unique marker called a RequestIdentifier into every callout. The RequestIdentifier includes the key identifier, a nonce generated for that callout instance, and the nonce required from the endpoint. The RequestIdentifier serves as a random, one-time identifier for each valid callout request. After you set up your key service to accept and return the RequestIdentifier, any callout with missing or mismatched RequestIdentifiers is aborted.
            • Check Your Cache-Only Key Connection
              Because your cache-only key material is stored outside of Salesforce, it’s important to maintain a functional callout connection. Use the Callout Check page to monitor your connection and quickly respond to key service interruptions that could prevent the service from fetching your keys.
            • Destroy a Cache-Only Key
              When you destroy a cache-only key, you’re destroying two things: the key in the cache and the callout connection to the key service.
            • Reactivate a Cache-Only Key
              If you still have your named credential associated with a key that was destroyed in Salesforce, you can reactivate a destroyed cache-only key from Setup or programmatically through the API. Reactivating a destroyed key makes it the active key. Before you reactivate a destroyed key, make sure that the corresponding key service connection is recovered.
            • Considerations for Cache-Only Keys
              These considerations apply to all data that you encrypt using the Shield Platform Encryption Cache-Only Key Service.
            • Troubleshoot Cache-Only Keys
              One or more of these frequently asked questions can help you troubleshoot any problems that arise with Shield Platform Encryption’s Cache-Only Key Service.

            See Also

             
            Loading
            Salesforce Help | Article