Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
Full Master HSM entry
How-to guide

Relate to the Master HSM in your architecture

The Master HSM is platform infrastructure not directly configurable by customers. The steps below cover the customer-side decisions about how to relate to it.

By Dipojjal Chakrabarti · Founder & Editor, Salesforce DictionaryLast updated May 19, 2026

The Master HSM is platform infrastructure not directly configurable by customers. The steps below cover the customer-side decisions about how to relate to it.

  1. Understand the layering

    Read Salesforce documentation on the Shield key hierarchy. Confirm understanding before evaluating customer-managed alternatives.

  2. Decide on key model

    Salesforce-Managed (relies entirely on Master HSM), BYOK (customer secret wrapped by Master HSM), or Cache-Only (customer HSM external to Salesforce). Each has different trust assumptions.

  3. For BYOK, plan secret generation

    Generate customer tenant secret in customer HSM. Coordinate the wrapping process with Salesforce documentation.

  4. For Cache-Only, plan KMS infrastructure

    Stand up the customer KMS endpoint. Configure connectivity from Salesforce. The Master HSM still participates in trust chain.

  5. Document compliance posture

    For audits, reference Salesforce compliance attestations describing the Master HSM. Include in customer compliance documentation.

  6. Monitor key operations

    Use Event Monitoring to watch key operation patterns. The Master HSM operations themselves are not customer-visible, but downstream operations are.

  7. Review annually

    As compliance requirements evolve, revisit whether the current key model still satisfies. The choice between Salesforce-Managed, BYOK, and Cache-Only is reversible but operationally heavy.

Key options
Salesforce-Managed Keysremember

Master HSM is the entire customer key infrastructure. Simplest mode.

BYOKremember

Customer HSM generates secret; Master HSM wraps it. Layered model.

Cache-Only Key Serviceremember

Customer HSM holds secret persistently. Master HSM only in transient operations.

Compliance attestationsremember

Documentation Salesforce provides describing the Master HSM. Customer audit reference.

Key model rolloutremember

Choice between models. Reversible but operationally heavy.

Gotchas
  • The Master HSM is not customer-configurable. Customers cannot inspect or audit it directly; trust depends on compliance attestations.
  • Salesforce-Managed Keys rely entirely on the Master HSM. Customers needing more direct control use BYOK or Cache-Only.
  • BYOK secret upload uses Master HSM wrapping. Without the Master HSM, BYOK could not work cryptographically.
  • Cache-Only Key Service still involves the Master HSM in trust chain operations. Not a complete escape from Salesforce-controlled cryptography.
  • Compliance audits expect documentation, not direct HSM access. Reference Salesforce attestations rather than expecting to demonstrate the HSM directly.

See the full Master HSM entry

Master HSM includes the definition, worked example, deep dive, related terms, and a quiz.