Retain More Control of Key Material with the Cache-Only Key Service (Beta)
Why: Take even more control over the chain of custody of your key material with the Cache-Only Key Service. Cache-only keys aren’t persisted in any Salesforce system of record or backups. Instead, the service fetches key material from an on-premises key service, cloud-based key service, or cloud-based key brokering vendor of your choice. When your key material is fetched, it’s encrypted and stored in the cache for encrypt and decrypt operations.
How: Creating and hosting cache-compatible keys requires some setup in and outside of Salesforce. After you generate and prepare your key material, you create a named credential to use as a secure channel by which the service fetches the key material. You then configure your connection from the Key Management page in Setup.
Because your key material is stored outside of Salesforce, it’s important to maintain a functional callout connection. Use the Callout Check page to monitor your connection and quickly respond to key service interruptions that could prevent the service from fetching your keys.
From the Key Management page in Setup, click Details next to your cache-only key. Click Check (1), and review the details about your connection (2). You can then make the appropriate adjustments to your key service.