Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
Full Master Secret entry
How-to guide

Decide on Master Secret protection model

Customers do not directly configure the Master Secret; the relevant decisions are about which key model to use. The steps below cover those decisions and the documentation expectations.

By Dipojjal Chakrabarti · Founder & Editor, Salesforce DictionaryLast updated May 19, 2026

Customers do not directly configure the Master Secret; the relevant decisions are about which key model to use. The steps below cover those decisions and the documentation expectations.

  1. Understand the key hierarchy

    Read Salesforce Shield architecture documentation. Confirm understanding before evaluating customer-controlled alternatives.

  2. Choose key model

    Salesforce-Managed (Master Secret platform-internal), BYOK (Master Secret customer-controlled), or Cache-Only (Master Secret in customer KMS only).

  3. For Salesforce-Managed, rely on attestations

    Reference FedRAMP, SOC 2, and other Salesforce attestations for Master Secret protection evidence.

  4. For BYOK, generate Master Secret in customer HSM

    Use a FIPS-certified HSM to generate the Master Secret. Upload to Salesforce wrapped under Salesforce's wrapping key.

  5. For Cache-Only, configure KMS endpoint

    Stand up the customer KMS that will host the Master Secret. Configure connectivity from Salesforce.

  6. Document Master Secret protection

    For compliance audits, document the chain: HSM hardware, key generation process, rotation schedule, destruction procedures.

  7. Plan rotation and destruction procedures

    Master Secret rotation is rare and high-stakes. Document the procedure; require multi-party approval for destruction.

Key options
Salesforce-Managed Master Secretremember

Held in Salesforce Master HSM. Customer reliance on attestations.

BYOK Master Secretremember

Customer generates in their HSM; Salesforce holds wrapped copy.

Cache-Only Master Secretremember

Customer holds only; Salesforce fetches on demand.

Master Secret rotationremember

Rare operation; rotates derived tenant secrets.

Master Secret destructionremember

Irreversible; renders all derived secrets unusable.

Gotchas
  • The Master Secret cannot be viewed or exported by customers. Compliance verification depends on attestations and HSM-mediated operations.
  • Destruction is catastrophic. Build multi-party approval workflows; accidental destruction renders all derived data unrecoverable.
  • Master Secret rotation propagates to derived tenant secrets. Plan the cascade carefully; rotation cycles affect downstream data accessibility.
  • BYOK Master Secret wrapped under Salesforce wrapping key. Destruction of Salesforce wrapping key is also catastrophic; understand the dependency.
  • Cache-Only Master Secret depends on customer KMS availability. KMS downtime halts all decryption; plan KMS high availability.

See the full Master Secret entry

Master Secret includes the definition, worked example, deep dive, related terms, and a quiz.