Prerequisites
Make sure to adhere to the below prerequisites before continuing with the BYOK procedure:
- Salesforce account with Enterprise, Performance, or Unlimited Edition subscription with Salesforce Shield enabled,
- Either Salesforce Classic or Lightning Experience,
- Salesforce User Permissions
Manage Encryption Keys,Manage CertificatesandCustomize Application, for more info visit Salesforce documentation - Bring Your Own Key (BYOK). - Securosys Primus HSM or Cloud HSM Service with JCE license and JCE API enabled with HSM firmware 2.8.45 or newer
- Securosys Primus Tools v2.3.1 or newer, visit Primus Tools - Prerequisites section for Primus Tools prerequisites.
Please review the Salesforce prerequisites in the Salesforce - Bring Your Own Key section of the Salesforce Developers documentation.
Primus HSM Configuration
Setting up the Primus HSM hardware or your CloudHSM partition is not described in this guide. Please refer to the corresponding User Guides downloadable from the Securosys Support Portal (account required).
The Securosys on-premises Primus HSM or Securosys CloudHSM partition needs the Crypto policy (and User policy) configuration to allow Key Export and Key Extract for the used partition.
The CloudHSM services are preconfigured for Salesforce BYOK. Ensure the JCE API is included and activated in your subscription. For available service packages and options, please go to Cloud Console or contact sales .
Follow the below shown steps to configure the on-premises Primus HSM:
- Enable
Key Exporton user/partition level (SO activation required):
- HSM User Interface (LC Display) Primus X/S-Series
- HSM Console Primus HSM, all Series
SETUP → CONFIGURATION → SECURITY → USER SECURITY → KEY EXPORT
hsm_sec_enter_user_config
hsm_user_set_config key_export=true
- Enable
Key Extracton user/partition level (SO activation required):
- HSM User Interface (LC Display) Primus X/S-Series
- HSM Console Primus HSM, all Series
SETUP → CONFIGURATION → SECURITY → USER SECURITY → KEY EXTRACT
hsm_sec_enter_user_config
hsm_user_set_config key_extract=true
- The
Primus Toolscommands require the JCE interface enabled on device and user level (plus license):
- HSM User Interface (LC Display) Primus X/S-Series
- HSM Console Primus HSM, all Series
SETUP → CONFIGURATION → SECURITY → DEVICE SECURITY → CRYPTO POLICY → JCE
SETUP → CONFIGURATION → SECURITY → USER SECURITY → JCE
hsm_sec_set_config jce=true
hsm_sec_enter_user_config
hsm_user_set_config jce=true