Provisioning an HSM for use with Salesforce Shield is a coordinated effort between the customer's security team, the HSM vendor, and the Salesforce architecture team. The steps below cover the path for a cloud HSM integration.
- Pick the HSM service
Choose AWS CloudHSM, Azure Dedicated HSM, GCP Cloud KMS HSM, or an on-prem appliance. Most customers default to the cloud HSM of their primary cloud provider.
- Provision the HSM cluster
Follow the cloud provider documentation to provision an HSM cluster. Configure two HSMs minimum for high availability; single-HSM deployments fail when the device needs maintenance.
- Generate the tenant secret
Inside the HSM, generate the master key material for the Salesforce tenant secret. The key never leaves the HSM in cleartext; only wrapped versions can be exported.
- Configure connectivity to Salesforce
For Cache-Only Key Service, configure the HSM as a callable endpoint Salesforce can reach through the documented key wrapping protocol. For BYOK, export the wrapped key for upload.
- Configure Salesforce side
Setup > Encryption Settings > Key Management. For BYOK, upload the wrapped key. For Cache-Only Key Service, configure the endpoint and authentication.
- Test key operations
Encrypt a test field and confirm encryption succeeds. For Cache-Only, monitor the HSM logs to confirm Salesforce is making the expected calls.
- Set up monitoring and DR
Monitor HSM availability, key operation rate, and failure events. Define disaster recovery: how do you restore key access if the primary HSM cluster fails?
Cloud HSM service in AWS. Common choice for AWS-centric customers.
Cloud HSM service in Azure. Common choice for Azure-centric customers.
Google Cloud HSM-backed Key Management Service.
Self-operated HSM in customer data center. Use when regulations require physical custody.
Standard certification level for enterprise HSMs. Sufficient for most compliance frameworks.
- HSM single-instance deployments fail during maintenance. Always provision at least two HSMs in a cluster; single-instance is not production-grade.
- Cache-Only Key Service adds latency on every encrypted-field operation. Heavy reports filtering encrypted fields can run noticeably slower; benchmark before production.
- HSM backup is non-trivial. Keys cannot be exported in cleartext; restore requires another HSM that can unwrap the backup. Plan disaster recovery carefully.
- On-prem HSMs require deliberate operational discipline. Most customers find cloud HSMs simpler; reserve on-prem for cases where physical custody is mandated.
- Network connectivity to the HSM is a critical dependency. Outage of the HSM connectivity halts decryption on Cache-Only; design network paths for high availability.