Bring Your Own Encryption Keys (Pilot)

You don’t want Salesforce to generate key material for you? You have your own crypto libraries, enterprise key management system, or hardware security module (HSM)? Now you can bring your own keys (BYOK) to your Salesforce orgs for increased ownership of your data’s security. This feature is available in both Lightning Experience and Salesforce Classic.

You know the Salesforce promise: you own your data because we never access it. Bring Your Own Keys brings even more depth to that promise. This pilot lets you create tenant secrets outside of Salesforce using your own crypto libraries, enterprise key management system, or hardware security module. You grant Shield Platform Encryption’s key management machinery access to these keys, which you can encrypt with a self-signed or certificate authority (CA) certificate’s public key. You can revoke this access on demand via the Key Management tooling in Setup or programmatically via the API.

You’re the expert on your company’s security needs, and with Bring Your Own Keys you’re in the driver’s seat. Whatever your service resiliency or disaster recovery posture, we’ll support you in providing the best security for your data.
Note

Note

The Bring Your Own Keys feature is available through a pilot program. For information about joining this pilot, contact your Salesforce account executive.