What is the most important tip for working with Hardware Security Module (HSM)?

Cloud HSMs (AWS CloudHSM, Azure Dedicated HSM, GCP) are the practical choice for most Salesforce BYOK and Cache-Only deployments. On-prem makes sense only when regulations require physical custody.

AdministrationBeginner

Hardware Security Module (HSM)

Q: What is a Hardware Security Module?

HSMs are dedicated hardware devices that provide high-security key management for encryption.

Q: Why use HSMs for key management?

HSMs provide the strongest key security because keys never leave the tamper-resistant hardware in unencrypted form.

Q: When are HSMs typically required?

HSM-backed key management is typically required in industries with strict encryption compliance requirements.

A Hardware Security Module (HSM) is a tamper-resistant physical device that generates, stores, and uses cryptographic keys without exposing the key material to the surrounding software.

Hear it

§ 01

Definition

A Hardware Security Module (HSM) is a tamper-resistant physical device that generates, stores, and uses cryptographic keys without exposing the key material to the surrounding software. In the Salesforce context, HSMs are the foundation of Shield Platform Encryption's customer-controlled key options: when a customer uses Bring Your Own Key (BYOK) or Cache-Only Key Service, the master key material typically originates from and resides in an HSM operated by the customer. The HSM signs key operations rather than exposing the key itself, which provides the strongest available guarantee that keys cannot be extracted or copied.

HSMs come in several form factors. Network-attached appliances (Thales Luna, Utimaco SecurityServer) sit in customer data centers and serve key operations to applications through a network protocol. Cloud HSMs (AWS CloudHSM, Azure Dedicated HSM, Google Cloud KMS HSM) provide the same capabilities as a managed service. Most Salesforce customers using BYOK or Cache-Only Key Service rely on cloud HSMs because the operational simplicity outweighs the marginal control improvement of self-operated hardware.

§ 02

How HSMs underpin Salesforce Shield encryption

What an HSM does that software cannot

HSMs hold key material in tamper-resistant hardware. Physical attempts to extract keys trigger destruction of the key material; software extraction attempts are blocked by the device's restricted API. The HSM exposes operations (sign this data, decrypt this ciphertext) but never returns the key. This contrasts with software key storage, where the key exists in memory at some point and is theoretically extractable by anyone with sufficient access to that memory.

FIPS 140-2 and the compliance role

HSMs are certified to FIPS 140-2 (or 140-3) security levels, with Level 3 being the typical target for enterprise use. The certification attests that the hardware meets specific security requirements: tamper evidence, identity-based authentication, automatic destruction on tampering. Many regulatory frameworks (PCI DSS, FedRAMP, HIPAA in some interpretations) require FIPS-certified HSMs for key storage, making HSM use a compliance check-box rather than an architectural choice.

Cloud HSM versus on-prem appliance

Cloud HSMs (AWS CloudHSM, Azure, GCP) provide the same FIPS-certified capabilities as on-prem appliances without the operational burden. Costs are higher per hour than on-prem amortized over years, but most enterprises find the trade-off worthwhile. On-prem makes sense only when regulations require physical custody of the device, or when the organization already operates an HSM fleet for other purposes. Cloud HSMs integrate cleanly with Salesforce Cache-Only Key Service through standardized protocols.

Integration with Shield Cache-Only Key Service

Salesforce's Cache-Only Key Service is designed to fetch keys from a customer HSM on demand. The customer hosts the HSM (cloud or on-prem); Salesforce contacts the HSM through a key wrapping protocol to retrieve the working key, uses it briefly in memory, and discards. The HSM never exposes the master key, so even Salesforce cannot extract it. This satisfies the strictest compliance requirements where data must remain unrecoverable by the cloud provider.

BYOK and HSM origination

With Bring Your Own Key, the customer generates the tenant secret in their HSM, exports it under a wrapping key, and uploads it to Salesforce. The HSM origination provides cryptographic provenance: the customer can demonstrate the key was generated under their custody, not by Salesforce. The customer keeps the master copy in the HSM; destroying it there is the path to revoking all access to encrypted data.

Performance and latency considerations

Every key operation requires a round-trip to the HSM. For BYOK, this happens at key wrap/unwrap time, which is rare. For Cache-Only Key Service, this happens whenever Salesforce needs to decrypt new data, which can be frequent for heavy workloads. Plan HSM capacity for the operation rate, and design queries against encrypted fields with caching in mind. Network latency between Salesforce data centers and your HSM directly affects user-perceived performance.

Operational requirements

HSMs require operational discipline. Backup and disaster recovery for HSM-protected keys is non-trivial because the keys cannot be exported in cleartext; backups use wrapped key material that only another HSM can use. Multi-region replication adds complexity. Most cloud HSM services handle this automatically, but on-prem HSMs require deliberate planning. The operational discipline is part of why most Salesforce customers prefer cloud HSMs over on-prem.

§ 03

Provision an HSM for Shield BYOK or Cache-Only Keys

Provisioning an HSM for use with Salesforce Shield is a coordinated effort between the customer's security team, the HSM vendor, and the Salesforce architecture team. The steps below cover the path for a cloud HSM integration.

Pick the HSM service
Choose AWS CloudHSM, Azure Dedicated HSM, GCP Cloud KMS HSM, or an on-prem appliance. Most customers default to the cloud HSM of their primary cloud provider.
Provision the HSM cluster
Follow the cloud provider documentation to provision an HSM cluster. Configure two HSMs minimum for high availability; single-HSM deployments fail when the device needs maintenance.
Generate the tenant secret
Inside the HSM, generate the master key material for the Salesforce tenant secret. The key never leaves the HSM in cleartext; only wrapped versions can be exported.
Configure connectivity to Salesforce
For Cache-Only Key Service, configure the HSM as a callable endpoint Salesforce can reach through the documented key wrapping protocol. For BYOK, export the wrapped key for upload.
Configure Salesforce side
Setup > Encryption Settings > Key Management. For BYOK, upload the wrapped key. For Cache-Only Key Service, configure the endpoint and authentication.
Test key operations
Encrypt a test field and confirm encryption succeeds. For Cache-Only, monitor the HSM logs to confirm Salesforce is making the expected calls.
Set up monitoring and DR
Monitor HSM availability, key operation rate, and failure events. Define disaster recovery: how do you restore key access if the primary HSM cluster fails?

Key options

AWS CloudHSMremember

Cloud HSM service in AWS. Common choice for AWS-centric customers.

Azure Dedicated HSMremember

Cloud HSM service in Azure. Common choice for Azure-centric customers.

GCP Cloud KMS HSMremember

Google Cloud HSM-backed Key Management Service.

On-prem applianceremember

Self-operated HSM in customer data center. Use when regulations require physical custody.

FIPS 140-2 Level 3remember

Standard certification level for enterprise HSMs. Sufficient for most compliance frameworks.

Gotchas

HSM single-instance deployments fail during maintenance. Always provision at least two HSMs in a cluster; single-instance is not production-grade.
Cache-Only Key Service adds latency on every encrypted-field operation. Heavy reports filtering encrypted fields can run noticeably slower; benchmark before production.
HSM backup is non-trivial. Keys cannot be exported in cleartext; restore requires another HSM that can unwrap the backup. Plan disaster recovery carefully.
On-prem HSMs require deliberate operational discipline. Most customers find cloud HSMs simpler; reserve on-prem for cases where physical custody is mandated.
Network connectivity to the HSM is a critical dependency. Outage of the HSM connectivity halts decryption on Cache-Only; design network paths for high availability.

Trust & references

Official documentation

Straight from the source - Salesforce's reference material on Hardware Security Module (HSM).

How Shield Platform Encryption WorksSalesforce Help

Was this entry helpful?

Help us write better definitions. Quick reactions or detailed edit suggestions.

About the Author

Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.

Test your knowledge

Q1. What is a Hardware Security Module?

Q2. Why use HSMs for key management?

Q3. When are HSMs typically required?

Discussion

Loading…

Loading discussion…

Back to Dictionary