Getting Started with Salesforce BYOK
This Quickstart section provides a comprehensive task listing of the Bring Your Own Key (BYOK) process for Salesforce. For more detailed instructions please consult the Installation section. Visit Prerequisites for the necessary preparations beforehand.
Parameters in this document are shown as an example. Replace these parameters with your own.
Install and Configure Primus Tools
Download, install and configure the Primus Tools on the computer with an established Primus HSM or CloudHSM connection. For more information, visit the Primus Tools - Installation section.
Generate Salesforce BYOK Certificate
To encrypt data in Salesforce with Bring Your Own Key (BYOK) key material, use Salesforce to generate a self-signed certificate. The public key from the certificate will be used to encrypt your key material generated in your Primus HSM or CloudHSM.
A 4096-bit RSA key size is required for Salesforce BYOK.
A CA-signed certificate can also be used. See Generate Salesforce BYOK-Compatible Certificate for more information.
Generate and Wrap BYOK Key Material
Convert the exported Salesforce BYOK compatible certificate into either .pem or .der format, create a tenant secret key on the HSM and use Primus Tools to export and wrap the BYOK key material with the public key extractred from the BYOK-compatible certificate, generated in the previous chapter.
The tenant secret must be an HMAC key, use parameter HMACSHA256 when specifiying the key type.
See Generate and Wrap BYOK Key Material for more information.
Import BYOK Tenant Secret
Import the generated BYOK-compatible key material files into Salesforce. If desired, opt out of Salesforce key derivation.
See Import BYOK Key Material for more information.
Enjoy a 3-month free trial of CloudHSM Sandbox, compatible with Salesforce BYOK.
- Sign-up and download the HSM credentials within minutes.
- Browse CloudHSM Sandbox service description