Loading
Feature degradation | Gmail Email delivery failureRead More
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Database Encryption Process Flow

            You are here:

            1. Salesforce Help
            2. Docs
            3. Salesforce Shield Platform Encryption Architecture

            Database Encryption Process Flow

            For Database Encryption, encryption and decryption happens at the fragment level.

            Encryption Process:

            • A user saves data (1).
            • If Database Encryption is active, the database encryption service attempts to retrieve the associated encryption keys from the encrypted key cache (2).
            • If the key exists, the database encryption service retrieves the key (3).
            • If the key isn’t in the encrypted key cache:
              • The encryption service requests the database tenant secret from the regional KMS (4).
              • The regional KMS provides the database tenant secret (5).
                Note
                Note Data moving between the regional Shield KMS and the database encryption service is encrypted by the mutual TLS (mTLS) protocol, which uses a certificate signed by a dedicated Salesforce Internal CA - certificate authority. This certificate’s private key is stored in the regional KMS in an encrypted form. The certificate’s public and private keys are rotated regularly.
              • The database encryption service stores the database tenant secret in the encrypted key cache (6).
            • The database stages the data to be encrypted in the database memstore until it determines that it can write a database fragment (usually 64KB or smaller) (7).
            • The database encryption service generates a per-fragment salt based on the database fragment being written. The service uses this per-fragment salt and the database tenant secret as parameters into a KDF to derive the DEK for that database fragment. Using this DEK, it encrypts the entire fragment by using OpenSSL AESGCM-256 implementation (8).
            • The database fragment is now encrypted. The per-fragment salt and corresponding ID of the key material used to derive the data encryption key are saved alongside that fragment in the database (9).
            Encryption process flow for Transaction Level Encryption

            Decryption Process

            Note
            Note If you use Database Encryption for a time and then stop using it, you can still retrieve your encrypted data. If you change that data, it is rewritten to the database in a plaintext fragment.
            • When an authenticated user retrieves encrypted data, the database encryption service retrieves the database fragment containing the desired data along with the per-fragment salt and ID of the key material used to encrypt the data being retrieved.
            • The database encryption service checks for the matching data encryption key in the key cache.
            • If the key exists, the encryption service retrieves the key.
            • If the key isn’t in the encrypted key cache:
              • The encryption service requests the database tenant secret from the regional KMS.
              • The regional KMS provides the database tenant secret. As when encrypting the data, data moving between the regional Shield KMS and the database encryption service is encrypted by mTLS.
              • The database encryption service stores the database tenant secret in the encrypted key cache.
            • The database retrieves the database tenant secret and the per-fragment salt and supplies them to the KDF to derive the DEK.
            • The data is decrypted and returned to the user.
             
            Loading
            Salesforce Help | Article