Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
Full Master Wrapping Key entry
How-to guide

Work with Master Wrapping Key in Shield

Customers do not directly configure the Master Wrapping Key. The steps below cover the related customer-side concerns.

By Dipojjal Chakrabarti · Founder & Editor, Salesforce DictionaryLast updated May 19, 2026

Customers do not directly configure the Master Wrapping Key. The steps below cover the related customer-side concerns.

  1. Understand the role

    Read Salesforce Shield documentation on key wrapping. The Master Wrapping Key is the layer protecting tenant secrets at rest.

  2. For BYOK upload, follow Salesforce protocol

    Salesforce documents the BYOK upload format. Wrap the customer secret with the Salesforce wrapping key as specified.

  3. For Cache-Only, configure KMS

    The customer KMS sends wrapped key material to Salesforce. Configure per Salesforce documentation.

  4. Document the wrapping protection

    For compliance audits, reference the Master Wrapping Key role in Salesforce attestations. Customer-side documentation describes the chain.

  5. Monitor for wrapping-related errors

    Key operations occasionally surface errors related to wrapping (corruption, version mismatch). Capture in support tickets if seen.

  6. Test BYOK rotation if applicable

    BYOK rotation re-wraps under new Master Wrapping Key versions. Test in sandbox before production rotation.

  7. Reference in compliance reviews

    Cite the Master Wrapping Key as evidence of multi-layer key protection in customer compliance documentation.

Key options
AES Key Wrap algorithmremember

Standard algorithm used for wrapping. Customers do not configure; platform-managed.

Salesforce-Managed wrappingremember

Master Wrapping Key in Salesforce Master HSM.

Customer-Managed wrappingremember

For BYOK, customer HSM holds wrapping key for upload protocol.

Wrapping key rotationremember

Salesforce-managed for platform; customer-managed for BYOK.

Attestation documentationremember

Salesforce-provided evidence of wrapping protection.

Gotchas
  • The Master Wrapping Key is not customer-configurable. Customers cannot inspect or replace it directly.
  • BYOK upload protocol requires correct wrapping format. Mistakes here cause upload failures; follow Salesforce documentation carefully.
  • Wrapping-related errors usually indicate a corruption or version mismatch. Open a support ticket rather than attempting local debugging.
  • Cache-Only Key Service relies on the wrapping protocol for in-transit key protection. KMS connectivity issues can surface as wrapping errors.
  • The wrapping key is part of the chain of trust. Compromise (rare in practice) would affect all customer secrets wrapped under it; Salesforce operates the HSM under strict controls.

See the full Master Wrapping Key entry

Master Wrapping Key includes the definition, worked example, deep dive, related terms, and a quiz.