Loading
Salesforce now sends email only from verified domains. Read More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Bring Your Own Key (BYOK)

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Bring Your Own Key (BYOK)

            When you supply your own tenant secret or data encryption key (DEK), you get the benefits built into Salesforce Shield Platform Encryption, plus the extra assurance that comes from exclusively managing your own key material. Depending on the feature, BYOK supports derived keys and DEKs. To be compatible with Salesforce BYOK, use a PKCS#8 encrypted, Base64 encoded 4096 RSA key pair with appropriate headers and footers.

            Required Editions

            Available in both Salesforce Classic (not available in all orgs) and Lightning Experience.
            Available in: Enterprise, Performance, and Unlimited Editions with the Salesforce Shield or Shield Platform Encryption licenses.
            Available for free in Developer Edition.
            User Permissions Needed
            To generate, destroy, export, import, and upload tenant secrets and customer-supplied key material: Manage Encryption Keys
            To edit, upload, and download HSM-protected certificates with the Shield Platform Encryption Bring Your Own Key service:

            Manage Encryption Keys

            AND

            Manage Certificates

            AND

            Customize Application

            Controlling your own tenant secret or DEK entails:

            • Generating a BYOK-compatible certificate for the type of encryption
            • Using that BYOK-compatible certificate to encrypt and secure your self-generated tenant secret or DEK
            • Granting the Salesforce Shield Platform Encryption key management machinery access to your tenant secret.
            Note
            Note BYOK is available for more than one Shield Platform Encryption feature (FLE, Database Encryption, Data 360, and so on). Make sure you use the right instructions for your feature.

            For easy auditing, all Salesforce-generated and customer-supplied key material is visible on the Key Management page.

            • Bring Your Own Key (BYOK) Overview
              You can generate and store customer-supplied key material outside of Salesforce by using your own crypto libraries, enterprise key management system, or hardware security module (HSM). You then grant the Salesforce Shield Platform Encryption key management machinery access to those keys. You must encrypt your keys with a public key from a self-signed or CA-signed certificate. BYOK is available for FLE, Files and Attachments, Event Bus Data, Search Indexes, Data 360, and Database Encryption.
            • Generate a BYOK-Compatible Certificate
              To encrypt data in Salesforce with Bring Your Own Key (BYOK) key material for any feature, such as field-level encryption or Search Encryption, use Salesforce to generate a 4096-bit RSA certificate. You can generate a self-signed or certificate-authority (CA) signed certificate. Each BYOK-compatible certificate’s private key is encrypted with a derived, org-specific tenant secret key.
            • Generate a Certificate Fingerprint
              Use this script to fetch a certificate’s fingerprint.
            • Wrap BYOK Key Material
              Generate a random number as your BYOK key material. For FLE only, you also calculate an SHA256 hash of the secret and encrypt it with the public key from the BYOK-compatible certificate you generated.
            • Upload Your BYOK Key Material
              Shield Platform Encryption supports BYOK for FLE, Event Log Data, Search Index Encryption, and Database Encryption. Because they all support different encryption targets, they need different types of BYOK key material. For FLE, Event Log Data and Database Encryption you upload a tenant secret BYOK. Foc Search Index Encryption you upload a data encryption key (DEK).
            • Opt Out of Key Derivation with BYOK
              For Field-Level Encryption (FLE), Files and Attachments, and Event Bus Data, you can opt out of key derivation and upload a final data encryption key (DEK). Opting out gives you even more control of the key material used to encrypt and decrypt your data.
            • Take Good Care of Your BYOK Keys
              When you create and store your own key material outside of Salesforce, it’s important that you safeguard that key material. Make sure that you have a trustworthy place to archive your key material; never save a tenant secret or data encryption key on a hard drive without a backup.
            • Troubleshooting Bring Your Own Key
              Read these frequently asked questions to help you troubleshoot any problems that arise with Shield Platform Encryption’s Bring Your Own Key service.

            See Also

             
            Loading
            Salesforce Help | Article