What is the Master Wrapping Key?

The Master Wrapping Key encrypts tenant secrets, providing an additional layer of protection.

Why use a wrapping key?

Wrapping is a defense-in-depth technique that adds layers of protection to sensitive keys.

Where is the Master Wrapping Key stored?

The Master Wrapping Key is stored in HSMs for hardware-level protection.

Master Wrapping Key

Administration🟡 Intermediate

Definition

In Salesforce Shield Platform Encryption, a key stored in HSMs that encrypts (wraps) the tenant secrets, providing an additional layer of protection so tenant secrets are never stored in plain text.

Real-World Example

At their company, a Salesforce administrator at Coastal Health leverages Master Wrapping Key to maintain data quality and enforce organizational policies across the platform. By properly setting up Master Wrapping Key, they prevent common data entry errors and ensure that users follow established business processes, which saves the support team hours of cleanup work each week.

Why Master Wrapping Key Matters

In Salesforce Shield Platform Encryption, the Master Wrapping Key is a key stored in Hardware Security Modules (HSMs) that encrypts (wraps) the tenant secrets, providing an additional layer of protection so tenant secrets are never stored in plain text. The wrapping concept is a standard cryptographic technique for protecting sensitive keys: instead of storing them unencrypted, they're encrypted with a wrapping key that's protected by hardware.

The Master Wrapping Key is part of Salesforce's defense-in-depth approach to encryption. Even though the underlying infrastructure is highly secure, multiple layers of protection ensure that compromise of any single component doesn't expose the keys. Tenant secrets are wrapped by the Master Wrapping Key, the Master Wrapping Key is in HSMs, and the entire infrastructure is secured by Salesforce's broader security controls. Most administrators don't interact with this infrastructure directly; it's part of what makes Platform Encryption trustworthy at scale.

How Organizations Use Master Wrapping Key

•Coastal Health — Documents the wrapping key architecture as part of their HIPAA compliance evidence about Platform Encryption security.
•Redwood Financial — Trusts the defense-in-depth approach where wrapping keys add layers of protection beyond basic encryption.
•ShieldGuard Security — Treats the layered key protection as part of why Platform Encryption is appropriate for their compliance environment.