Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
Full Key Derivation Function (KDF) entry
How-to guide

Work with KDFs in Shield and custom code

KDFs are mostly invisible to administrators because the platform handles key derivation internally. The steps below cover the cases where KDF concepts matter for custom code or Shield architecture decisions.

By Dipojjal Chakrabarti · Founder & Editor, Salesforce DictionaryLast updated May 19, 2026

KDFs are mostly invisible to administrators because the platform handles key derivation internally. The steps below cover the cases where KDF concepts matter for custom code or Shield architecture decisions.

  1. Identify scenarios requiring KDF awareness

    Most administrators never need to think about KDFs. Awareness matters for Shield architects designing rotation strategy and Apex developers building custom encryption.

  2. For Shield rotation, plan the cadence

    The KDF chain enables non-disruptive rotation. Plan quarterly or annual rotation; the KDF is what makes this feasible at scale.

  3. After rotation, run Mass Encryption

    Mass Encryption re-derives data keys for older records under the new tenant secret. Without it, old keys remain in use indefinitely.

  4. For custom Apex, use Crypto.generateMac()

    Need HMAC-based derivation? Use the built-in Crypto.generateMac(). Need stronger password hashing? Use an external library through a Named Credential proxy, not hand-rolled Apex.

  5. Audit custom encryption code

    Any Apex code handling passwords or deriving keys deserves a security review. Hand-rolled KDFs are a common vulnerability source.

  6. Document KDF choices for compliance

    Compliance auditors may ask which KDF algorithms protect your data. Shield documentation answers this; document custom code separately.

  7. Benchmark performance impact

    For Cache-Only Key Service or heavy custom encryption, the KDF cost is observable. Benchmark before production to set expectations.

Key options
Shield internal KDFremember

Platform-managed. Administrators do not configure directly; rotation is the visible operation.

Password hashing KDFremember

Platform-managed for Salesforce passwords. Users never see the derivation.

Crypto.generateMac() in Apexremember

HMAC-based derivation for custom Apex needs.

External library through Named Credentialremember

For stronger password hashing in custom apps, call an external service.

Auth Providerremember

Handles authentication including password storage. The standard alternative to custom KDF in Apex.

Gotchas
  • Hand-rolling a KDF in Apex is a serious security risk. Standard algorithms exist for a reason; custom implementations usually have subtle bugs.
  • KDF slowness compounds with HSM round-trip for Cache-Only Key Service. The combined cost can make encrypted-field queries noticeably slower than plaintext queries.
  • Salt and IV are different concepts often confused. Salt prevents identical KDF outputs; IV prevents identical ciphertexts. Both serve uniqueness but in different contexts.
  • Mass Encryption after rotation is the step that makes rotation meaningful. Skipping it means old keys remain in use indefinitely.
  • Compliance audits sometimes ask about KDF specifics. Shield documents the algorithms; custom code needs separate documentation.

See the full Key Derivation Function (KDF) entry

Key Derivation Function (KDF) includes the definition, worked example, deep dive, related terms, and a quiz.