Loading
Feature degradation | Gmail Email delivery failureRead More
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Data Encryption Keys for Database Encryption

            You are here:

            1. Salesforce Help
            2. Docs
            3. Salesforce Shield Platform Encryption Architecture

            Data Encryption Keys for Database Encryption

            Similar to FLE, DEKs for Database Encryption are either generated or supplied by the customer.

            The database tenant secret (generated or BYOK) is used as one part of the final derived DEK. The database tenant secret is used to derive the final tenant-specific per-fragment DEK that is used for encryption and decryption in the database. Having per-fragment keys mitigates the potential concerns with AES GCM and key overuse.

            The parts that contribute to the derived key are:

            • Your database tenant secret (Salesforce generated or BYOK)
            • A per-data-fragment randomly generated 128-bit salt

            These components are supplied to a key derivation function (KDF) to generate a different DEK for every database fragment. The key derivation function is based on openssl HKDF. Unlike FLE, where the derivation happens on a key derivation server, with Database Encryption, the derivation happens within the transactional database.

            Note
            Note Due to the nature of encryption within the database, there’s a delay before a new Database Encryption seed is used. See Special Database Encryption Considerations for more information.
             
            Loading
            Salesforce Help | Article