Setting up BYOK is a multi-team effort: security generates the keys, Salesforce admins upload them, compliance documents the chain of custody. Plan a few weeks for the first BYOK key; subsequent rotations are faster.
- Verify Shield Platform Encryption and BYOK entitlement
Setup, then Platform Encryption. Confirm the org has Shield Platform Encryption and BYOK enabled. Without both, BYOK is not available.
- Generate the key in your KMS
Use your enterprise KMS (AWS KMS, Azure Key Vault, Thales, HashiCorp Vault) to generate a key meeting Salesforce''s requirements: typically AES-256 derived from an RSA-2048 wrapping key.
- Wrap and export the key
Wrap the AES-256 key with Salesforce''s published certificate (download from Setup) and export the wrapped key as a Base64-encoded file. The wrapping ensures Salesforce can decrypt the key when it arrives but no one else can.
- Upload the wrapped key to Salesforce
Setup, then Platform Encryption, then Tenant Secrets, then Upload Tenant Secret. Select the wrapped key file. Salesforce unwraps and stores it as the new active tenant secret.
- Activate the new secret
Mark the new secret as Active. Going forward, all encryption operations use a DEK derived from this secret. Old encryptions continue to work with their prior secrets.
- Document the key custody chain
Record in your security documentation: who generated the key, when it was generated, the key fingerprint, the upload date, the rotation schedule, the revocation triggers. Auditors will ask.
Default. Keys generated and stored in Salesforce HSMs. No customer effort.
Customer-generated keys, uploaded wrapped. Customer retains a copy and can revoke.
Keys live entirely in customer KMS. Salesforce fetches per-operation. Highest control.
All keys originate or pass through HSMs. Ensures cryptographic-quality randomness.
- Revoking a tenant secret is irreversible. Encrypted data becomes permanently inaccessible. Plan revocations carefully and ensure data backups (if needed) exist outside Salesforce.
- BYOK requires the customer''s KMS to be operationally reliable. If the KMS is down, Salesforce cannot decrypt; for Cache-Only Key Service, this means user-facing impact.
- Key rotation does not re-encrypt existing data. New writes use the new key; old reads decrypt with old keys. Run Mass Re-encryption explicitly if post-rotation re-encryption is required.
- Encryption Key Management does not encrypt every field. Standard PII fields are typically encrypted; many other fields require explicit configuration. Audit your encrypted-fields list against compliance requirements.