What is the Master Secret?

The Master Secret is part of the Platform Encryption key derivation hierarchy.

How does the Master Secret enable tenant isolation?

The Master Secret + unique Tenant Secret combination ensures each tenant gets unique encryption keys.

Who manages the Master Secret?

Salesforce manages the Master Secret as part of the Platform Encryption infrastructure.

Master Secret

Administration🟢 Beginner

Definition

In Salesforce Shield Platform Encryption, a Salesforce-managed cryptographic key stored in Hardware Security Modules (HSMs) that, combined with the tenant secret, derives the data encryption keys for an org.

Real-World Example

the system admin at BrightEdge Solutions recently implemented Master Secret to control how users interact with Salesforce data and features. After configuring Master Secret in the sandbox and validating it with key stakeholders, they roll it out to production. User adoption improves because the interface now matches how teams actually work.

Why Master Secret Matters

In Salesforce Shield Platform Encryption, the Master Secret is a Salesforce-managed cryptographic key stored in Hardware Security Modules (HSMs) that, combined with the tenant secret, derives the data encryption keys for an org. The Master Secret is the same across all customer orgs, while tenant secrets are unique per org. The combination produces unique data encryption keys for each tenant, even though all tenants share the same underlying Master Secret infrastructure.

This design is what makes multi-tenant encryption work efficiently. The Master Secret is managed by Salesforce and never exposed to customers. Customer-controlled tenant secrets combine with the Master Secret to produce the actual encryption keys, ensuring tenant isolation while maintaining manageable key infrastructure at scale. Most administrators don't interact with the Master Secret directly; it's part of the underlying infrastructure that Platform Encryption builds on.

How Organizations Use Master Secret

•Coastal Health — Documents the Master Secret architecture in their compliance evidence package for understanding how Platform Encryption maintains tenant isolation.
•Redwood Financial — Trusts the Master Secret + Tenant Secret combination to produce unique encryption keys per org, satisfying their compliance requirements.
•ShieldGuard Security — Treats the key derivation architecture as foundational to their security understanding without needing to manage Master Secrets directly.