You are here:
Search Encryption at Rest Process Flow
The Salesforce search engine is built on the open-source enterprise search platform software Apache Solr. The search index, which stores tokens of record data with links back to the original records stored in the database, is housed within Solr. Partitions divide the search index into segments to allow Salesforce to scale operations. Apache Lucene is used for its core library. Because of this, the Search content is technically outside of the application tier and has its own process flow.
By using Shield Platform Encryption’s HSM-based key derivation architecture, metadata, and configurations, Search Encryption runs automatically when Shield Platform Encryption is in use. The solution applies strong encryption on org-specific search index .fdt, .tim, and .tip file types by using an org-specific AES-256 bit encryption key. The search index is encrypted at the search index segment level, and all search index operations require index blocks to be encrypted in memory.
The only way to access the search index or the encrypted key cache is through programmatic APIs.
To use Search encryption, the Salesforce admin first enables the Encrypt Search Indexes option. Shield Platform Encryption creates the first root key, and then uses it to create and wrap a DEK. The DEK is then stored in the database.
When a User Creates or Edits Records
- The core application determines if the search index segment must be encrypted based on metadata.
- If the search index segment must be encrypted, the encryption service checks for the matching search encryption key ID in the encrypted key cache.
- The encryption service determines if the key exists in the encrypted key cache.
- If the DEK exists in the encrypted key cache, the encryption service uses it for encryption.
- If not, the service sends a request to the core application, which in turn sends an authenticated derivation request to the regional Shield KMS or External KMS and returns the DEK to the core application server. Data moving between the regional Shield KMS and the encryption service is encrypted by the TLS protocol, which uses a certificate signed by a dedicated Salesforce authority. This certificate’s private key is stored by the regional Shield KMS and the encryption service in an encrypted form. The certificate’s public and private keys are rotated regularly.
- After retrieving the DEK, the encryption service generates a random initialization vector (IV) and encrypts the data by using JCE’s AES-256 implementation.
- The key ID, which is the identifier of the key being used to encrypt the index segment, and IV are saved in the search index.
When a User Searches for an Encrypted Term
- The term is passed to the search index along with the Salesforce objects to search.
- When the search index executes the search, the encryption service opens the relevant segment of the search index in memory and reads the key ID and IV.
- Repeats steps 3 through 5 in the previous search index encryption process.
- The search index processes the search and returns the results to the user.
If Salesforce administrators disable encryption on a field, all index segments that were encrypted are unencrypted and the key ID is set to null. This process can take up to 7 days.
