Customer Managed Key Options

Shield Platform Encryption provides two main ways for managing key material. It can generate your tenant secrets and other key material for you and store them securely within the Salesforce database. Or if you want, you can provide key material from an outside source instead:

• Root keys and DEKs can be generated by an external key management server. Root keys are stored within the external KMS. DEKs are wrapped by the root key and securely passed to Salesforce Shield to store alongside the service that needs the DEK.
• Key material can be generated using a custom process, and uploaded securely by the customer. The key material is stored on a Salesforce-controlled KMS.
• DEKs can be generated and stored in a customer-managed external KMS. Salesforce is set up to be able to fetch this key into its secure cache but not persist the key.

Not all Shield Platform features support all these options. You learn more about each of these options elsewhere in this guide.

• Customers Can Supply Their Own Key Material with EKM, BYOK, and Cache-Only Keys
  Customers can supply their own key material by using External Key Management (EKM), Bring Your Own Key (BYOK), or Cache-Only Keys. Each offers customers different levels of control over key material. Further, each has different setup requirements. With BYOK, customers can upload tenant secrets and data encryption keys outside of Salesforce by using their own crypto libraries, enterprise key management system, or hardware security module. With EKM and Cache-Only Keys, customers can supply their own DEKs.
• External Key Management (EKM) Option
  EKM provides the ability to set up and configure keys within supported public cloud key management services controlled by the customer, for use by Salesforce as permitted by the customer. After the wrapped DEKs are in place, they’re used like any other Shield Platform Encryption DEK. When they’re needed, Shield Platform Encryption sends the wrapped DEK to the external KMS via TLS and requests that it unwrap the DEK. The unwrapped DEK is returned to Shield Platform Encryption via TLS and placed in the encrypted key cache. The DEK is cached for a limited time and never persisted as plain text.
• Bring Your Own Key (BYOK) Option
  With BYOK, customers can bring key material from outside of Salesforce. They generate key material by using their own crypto libraries, enterprise key management system, or hardware security module. Customers can encrypt it with a self-signed or certificate authority (CA) certificate’s public key. They upload the keys to Shield Platform Encryption. They can revoke access on demand via the Key Management tooling in Setup or programmatically via the API.
• Cache-Only Keys Option
  Customers can create and store a DEK outside of Salesforce and use Cache-Only Keys to apply that DEK to data in Salesforce. Customers can use an on-premises key service, host their own cloud-based key service, or use a cloud-based key brokering vendor. Root keys and named principals are supported. DEKs are fetched on demand over a secure channel that the customer configures. Salesforce-generated DEKs are wrapped with a cache key encryption key and placed directly in the encrypted key cache for encrypt and decrypt operations. DEKs generated by an external KMS are wrapped by the generating root key, and they’re unwrapped by that same root key when needed.