Master HSM
The Master HSM is the central hardware security module that Salesforce uses internally to protect the master keys behind its key management infrastructure.
Definition
The Master HSM is the central hardware security module that Salesforce uses internally to protect the master keys behind its key management infrastructure. In the Salesforce Shield key hierarchy, customer tenant secrets are themselves protected by wrapping under a higher-level master key, which lives in a FIPS-certified Master HSM operated by Salesforce. The Master HSM is the root of trust: customer-managed tenant secrets derive their working key material through operations involving the Master HSM, and Salesforce-managed keys are entirely controlled by the Master HSM.
The Master HSM is platform infrastructure rather than customer-facing configuration. Customers do not interact with it directly through the UI; they trust that Salesforce operates the HSM correctly under documented compliance programs (FedRAMP High, SOC 2, etc.). The Master HSM concept matters for compliance auditors and architects evaluating Shield: it explains how Salesforce-Managed Keys remain protected even from broad Salesforce employee access, and how the chain of trust extends from customer tenant secrets through Salesforce-controlled infrastructure to the underlying HSM hardware.
How the Master HSM anchors Shield trust
Position in the key hierarchy
The Salesforce key hierarchy stacks several layers. At the bottom: data encryption keys derived per record. Above: tenant secrets per customer. Above that: master keys held in the Master HSM. The Master HSM is the deepest layer customers can reason about; deeper protection is platform-internal. Each layer protects the layer below through cryptographic wrapping; compromise at one layer does not automatically compromise the layers above.
Salesforce-operated, not customer-operated
The Master HSM is operated by Salesforce. Customers do not access it through APIs or Setup. The HSM lives in Salesforce data center infrastructure with restricted personnel access. For customers needing more direct control over keys, BYOK (Bring Your Own Key) and Cache-Only Key Service exist: those models let the customer interpose their own HSM rather than relying solely on the Master HSM.
Compliance role
The Master HSM is the artifact compliance auditors look for in Salesforce's compliance attestations. FedRAMP High, SOC 2, and similar reports describe the Master HSM's role and the controls around it. Customers in regulated industries cite the Master HSM in their own compliance documentation as evidence of Salesforce's underlying key protection. The HSM does not satisfy compliance requirements by itself; the surrounding operational controls matter equally.
Relationship to BYOK
BYOK customers generate their tenant secret externally and upload it to Salesforce. The upload uses a wrapping key generated by the Master HSM, so the customer's secret arrives at Salesforce encrypted under the Master HSM. Once uploaded, the customer secret is stored wrapped under the Master HSM. Destruction of the customer's master copy externally renders the Salesforce-stored copy useless because the customer wrapping process cannot be reversed.
Relationship to Cache-Only Key Service
Cache-Only customers go further: their tenant secret never persists on Salesforce infrastructure. The Salesforce-side workflow still involves the Master HSM for unwrapping the fetched key in memory, but the persistent key store is in the customer KMS. The Master HSM is part of the chain of trust but not the persistent custodian for these customers.
Customer-visible artifacts
Customers do not see the Master HSM directly. The visible artifacts are: tenant secret records in Setup, key derivation in encrypted-field operations, audit log entries for key operations. Compliance documentation provided by Salesforce describes the Master HSM and the protection it provides. Reference these documents in customer compliance audits rather than expecting to demonstrate the HSM directly.
Why this layering exists
The layered model achieves defense in depth. Without a Master HSM, customer tenant secrets would need to be stored in plaintext somewhere, creating a high-value target. With the Master HSM, tenant secrets are stored wrapped, so even physical compromise of the storage system does not reveal plaintext secrets. The HSM is the security perimeter that contains the deepest secret material.
Relate to the Master HSM in your architecture
The Master HSM is platform infrastructure not directly configurable by customers. The steps below cover the customer-side decisions about how to relate to it.
- Understand the layering
Read Salesforce documentation on the Shield key hierarchy. Confirm understanding before evaluating customer-managed alternatives.
- Decide on key model
Salesforce-Managed (relies entirely on Master HSM), BYOK (customer secret wrapped by Master HSM), or Cache-Only (customer HSM external to Salesforce). Each has different trust assumptions.
- For BYOK, plan secret generation
Generate customer tenant secret in customer HSM. Coordinate the wrapping process with Salesforce documentation.
- For Cache-Only, plan KMS infrastructure
Stand up the customer KMS endpoint. Configure connectivity from Salesforce. The Master HSM still participates in trust chain.
- Document compliance posture
For audits, reference Salesforce compliance attestations describing the Master HSM. Include in customer compliance documentation.
- Monitor key operations
Use Event Monitoring to watch key operation patterns. The Master HSM operations themselves are not customer-visible, but downstream operations are.
- Review annually
As compliance requirements evolve, revisit whether the current key model still satisfies. The choice between Salesforce-Managed, BYOK, and Cache-Only is reversible but operationally heavy.
Master HSM is the entire customer key infrastructure. Simplest mode.
Customer HSM generates secret; Master HSM wraps it. Layered model.
Customer HSM holds secret persistently. Master HSM only in transient operations.
Documentation Salesforce provides describing the Master HSM. Customer audit reference.
Choice between models. Reversible but operationally heavy.
- The Master HSM is not customer-configurable. Customers cannot inspect or audit it directly; trust depends on compliance attestations.
- Salesforce-Managed Keys rely entirely on the Master HSM. Customers needing more direct control use BYOK or Cache-Only.
- BYOK secret upload uses Master HSM wrapping. Without the Master HSM, BYOK could not work cryptographically.
- Cache-Only Key Service still involves the Master HSM in trust chain operations. Not a complete escape from Salesforce-controlled cryptography.
- Compliance audits expect documentation, not direct HSM access. Reference Salesforce attestations rather than expecting to demonstrate the HSM directly.
Trust & references
Straight from the source - Salesforce's reference material on Master HSM.
- How Shield Platform Encryption WorksSalesforce Help
About the Author
Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.
Test your knowledge
Q1. What is the Master HSM?
Q2. Why use HSMs for key storage?
Q3. Do administrators interact with Master HSMs directly?
Discussion
Loading discussion…