Salesforce Shield Key Management Service

The Salesforce Shield Key Management Service (KMS) empowers users to control and manage the lifecycle of their encryption keys, offering options like Salesforce-generated keys, Bring Your Own Key (BYOK), and Cache-Only Key Service, all while ensuring data encryption and security.

Key Features and Options:

Salesforce-Generated Keys:Salesforce can generate and manage tenant secrets for you, which are combined with a primary secret to derive data encryption keys (DEKs).
Bring Your Own Key (BYOK):Organizations can leverage their existing key management infrastructure by uploading and managing their own key material outside of Salesforce.
Cache-Only Key Service:This option allows you to store your key material outside of Salesforce and have it fetched on demand, with Salesforce never retaining or persisting the key in any system of record or backups.
Key Rotation:You can rotate keys to enhance security and manage the lifecycle of your encryption keys.
External Key Management:You can use the External Key Management Service or Cache-Only Key Service to fetch your key material on demand from a key service you control.
Key Derivation:Shield Platform Encryption uses a key derivation function (KDF) to derive DEKs on demand from a primary secret and your org-specific key material.
Data Encryption:Shield Platform Encryption encrypts data at rest, including fields stored in the database, documents, search index files, and CRM Analytics datasets.
Security:Your data encryption key material is never saved or shared across orgs, and your org-specific key material is always wrapped.
Compliance:Shield Platform Encryption helps organizations meet regulatory requirements by managing the lifecycle of their encryption keys.