Shield Platform Encryption licenses Salesforce head to deal with the life cycle of their information encryption keys while shielding those keys from unapproved access. To guarantee this degree of insurance, data encryption keys are never endured on disk.
Don't forget to check out: Salesforce Security Model - An Overview
The master secret is conveyed by a master hardware security module (HSM) toward the beginning of each release. The master HSM is "air-gapped" from Salesforce's production affiliation and put away safely in a bank security store box. only assigned Salesforce security specialists can get to the safety store box and the master HSM set it aside inside.
Key material is either made on request utilizing HSMs installed in the Shield KMS, or given by the client utilizing the Bring Your Own Key (BYOK) administration.
The Bring Your Own Key service, introduced in Winter '17, gives customers more control and versatility for managing key material through an API service. Customers can use open-source crypto libraries, their present HSM establishment, or third-party key expediting administrations to make and manage tenant secrets and information encryption keys outside of Salesforce. They would then be able to give Salesforce's KMS admittance to that key material. Clients can deny this access whenever.
The Shield KMS approaches the release-explicit secrets for each Salesforce release. As a matter of course, when an data encryption key is expected to scramble or unscramble client information, the Shield KMS gets the key from the master and tenant secrets. Clients can stop key derivation on a key-by-key explanation and move a last information encryption key, or store their keys in an outer key administration structure for on-request recovery. By controlling the lifecycle of your affiliation's key material, you control the lifecycle of the gathered information encryption keys. Your Salesforce administrator indicates a user to deal with the key material for your association and appoints that user the Manage Encryption Keys client consent. This client authorization permits the key administrator to create, supply, archive, import,export and destroy key material.
It's feasible to have more than one dynamic tenant secret in an association. You can apply explicit keys to data put away in various spaces of Salesforce. For instance, search index files are put away independently from other Salesforce information, so clients can apply key material to explicit data in those records. Just the latest tenant secret or data encryption key of a given sort is active, which means just that key material is utilized to determine the information encryption key used to encode information of a predefined type. At the point when you create or supply key material, the active secret gets archived. Archived key material is utilized to unscramble information that was last encoded when the archived key material was dynamic.
You can erase an idle tenant secret. On the off chance that you destroy a tenant secret it's not, at this point, conceivable to determine the encryption key needed to unscramble the data that was scrambled utilizing that key. Essentially, when you destroy a client provided data encryption key, you can't get to data encoded with that key. Take exceptional consideration to back up and secure both archived key material and encoded data. When you destroy key material, it's completely eliminated from the persevering layer and encoded key cache, and can't be recovered.
Per Release Secret Generation
Around the beginning of each release, the master HSM is related with the disconnected PC and used to make the per-release secrets and keys (on the HSM itself).
Following secrets are created:
- Master secret
- Master salt
- Master wrapping key
- Tenant wrapping key
Every secret is hashed utilizing SHA-256.
For implications of each secret and key, imply Keys and Secrets.
- The master wrapping key (MWK) is encoded with the master HSM public encryption key and put away locally on the PC nearby its hash.
- Different secrets are encoded with the master wrapping key and put away on the PC with their hashes.