Skip to main content

Getting Started with Salesforce BYOK

This Quickstart section provides a comprehensive task listing of the Bring Your Own Key (BYOK) process for Salesforce. For more detailed instructions please consult the Installation section. Visit Prerequisites for the necessary preparations beforehand.

note

Parameters in this document are shown as an example. Replace these parameters with your own.

Install and Configure Primus Tools

Download, install and configure the Primus Tools on the computer with an established Primus HSM or CloudHSM connection. For more information, visit the Primus Tools - Installation section.

Generate Salesforce BYOK Certificate

To encrypt data in Salesforce with Bring Your Own Key (BYOK) key material, use Salesforce to generate a self-signed certificate. The public key from the certificate will be used to encrypt your key material generated in your Primus HSM or CloudHSM.

note

A 4096-bit RSA key size is required for Salesforce BYOK.

A CA-signed certificate can also be used. See Generate Salesforce BYOK-Compatible Certificate for more information.

Generate and Wrap BYOK Key Material

Convert the exported Salesforce BYOK compatible certificate into either .pem or .der format, create a tenant secret key on the HSM and use Primus Tools to export and wrap the BYOK key material with the public key extractred from the BYOK-compatible certificate, generated in the previous chapter.

note

The tenant secret must be an HMAC key, use parameter HMACSHA256 when specifiying the key type.

See Generate and Wrap BYOK Key Material for more information.

Import BYOK Tenant Secret

Import the generated BYOK-compatible key material files into Salesforce. If desired, opt out of Salesforce key derivation.

See Import BYOK Key Material for more information.

Ready to try ?

Enjoy a 3-month free trial of CloudHSM Sandbox, compatible with Salesforce BYOK.