Retain More Control of Key Material with the Cache-Only Key Service (Beta)

Built on Shield Platform Encryption’s Bring Your Own Key service, the new Cache-Only Key Service addresses a unique need for non-persisted key material. You can store key material outside of Salesforce and have the Cache-Only Key Service fetch your key material on demand. Your key service transmits your key material over a secure channel that you configure. It’s then encrypted and stored in the cache for immediate encrypt and decrypt operations. You can destroy and rotate key material on demand and track cache-only key events, giving you full control of your key material.
Where: This feature applies to Salesforce Classic, Lightning Experience, and all versions of the Salesforce app in Enterprise, Performance, Unlimited, and Developer editions.


As a beta feature, Shield Platform Encryption Cache-Only Key Service is a preview and isn’t part of the “Services” under your master subscription agreement with Salesforce. Use this feature at your sole discretion, and make your purchase decisions only from generally available products and features. Salesforce doesn’t guarantee general availability of this feature within any particular time frame or at all, and we can discontinue it at any time. This feature is for evaluation purposes only. It’s offered as is, and Salesforce has no liability for any harm or damage arising out of or in connection with it. All restrictions, Salesforce reservation of rights, obligations concerning the Services, and terms for related Non-Salesforce Applications and Content apply equally to your use of this feature. You can provide feedback and suggestions for Shield Platform Encryption Cache-Only Key Service in the IdeaExchange and through the Trailblazer Community. For information about enabling this feature in your organization, contact Salesforce.

Why: Take even more control over the chain of custody of your key material with the Cache-Only Key Service. Cache-only keys aren’t persisted in any Salesforce system of record or backups. Instead, the service fetches key material from an on-premises key service, cloud-based key service, or cloud-based key brokering vendor of your choice. When your key material is fetched, it’s encrypted and stored in the cache for encrypt and decrypt operations.

How: Creating and hosting cache-compatible keys requires some setup in and outside of Salesforce. After you generate and prepare your key material, you create a named credential to use as a secure channel by which the service fetches the key material. You then configure your connection from the Key Management page in Setup. Configure cache-only key callout connection on the Key Management page

Because your key material is stored outside of Salesforce, it’s important to maintain a functional callout connection. Use the Callout Check page to monitor your connection and quickly respond to key service interruptions that could prevent the service from fetching your keys.

From the Key Management page in Setup, click Details next to your cache-only key. Click Check (1), and review the details about your connection (2). You can then make the appropriate adjustments to your key service. Callout connection test results on Callout Check page