Configure Salesforce Cache-Only Keys
In this step you will learn how to configure the Salesforce Cache-Only Key Service to load a key from a Primus HSM or CloudHSM through the Securosys proxy.
This step assumes that you have deployed the Securosys Proxy for Salesforce Cache-Only Key Service
in the previous step,
and that this proxy is reachable from Salesforce over the internet,
for example at https://cache-only-key-proxy.example.com.
Configure Permission and Access Control
Before you can make use of Cache-Only Keys, you need to configure some basic permission- and access control-related settings in Salesforce. Follow the Salesforce documentation to:
- Configure an External Credential
- From the Authentication Protocol dropdown list, select the access control that you have configured in the previous step, such as Basic Authentication or No Authentication.
- Configure an External Named Principal
- Create a Permission Set for the Named Principal
- Assign the
autoprocUser to the Permission Set - Create a Named Credential for the Cache-Only Key
- In the URL field, enter the URL to your proxy deployment, followed by the path to the API (which is usually
/keys). For example:https://cache-only-key-proxy.example.com/keys
- In the URL field, enter the URL to your proxy deployment, followed by the path to the API (which is usually
These steps are described in detail in the Salesforce documentation, and are not repeated here. The Securosys-specific things are highlighted in the bullet points above.
Add a Cache-Only Key
Follow the Salesforce documentation to add a Cache-Only Key, specifically Step 6 "Use the Named Credential with a New Cache-Only Key".
As the "Unique Key Identifier", add DEK_Salesforce.
The Unique Key Identifier corresponds to the key label on the HSM.
Click "Check" to test if Salesforce can successfully reach out to your proxy and fetch the key.
You don't need to manually create this key on the HSM. If it does not yet exist, the Cache-Only Key Proxy will automatically create an AES-256 key with the correct key attributes on the HSM for you.
Currently, DEK_Salesforce is the only key identifier supported by the proxy.
The ability to freely select a key identifier/label is an open feature request.
Next Steps
This completes the integration of Salesforce Cache-Only Key Service with Primus HSM or CloudHSM. Salesforce should now be able to fetch keys from your HSM, cache the keys, and eventually re-request them.
You can continue to add the same key identifier (DEK_Salesforce) also for other data types
(such as "Fields and Files", "Event Bus", or "Search Index").
Note that replay protection is currently not supported by the Cache-Only Key Proxy.
If you want to learn more about how to configure the Salesforce Cache-Only Key Service, please see the Salesforce documentation.