What is Salesforce Cache-Only Key Service?

Salesforce is a leading cloud-based customer relationship management (CRM) platform that delivers a comprehensive suite of applications for sales, service, marketing, analytics, and more. By enabling businesses to manage customer interactions, operational workflows, and data in a unified platform, Salesforce drives efficiency and innovation across industries. Its cloud-native architecture, support for AI, and extensive APIs make it a powerful foundation for digital transformation.

Salesforce Cache-Only Key Service (abbreviated to Cache-Only Keys) is an enhancement to Salesforce Shield Platform Encryption designed for organizations that require high performance, reliability, and strong control over their encryption key lifecycle. Unlike traditional Bring Your Own Key (BYOK) configurations, where encryption keys must be fetched from an external key source and imported in the Salesforce Organization, Cache-Only Keys allows Salesforce to cache the key after the first retrieval. This significantly reduces dependency on real-time access to external key management systems, ensuring faster operations and improved fault tolerance.

More importantly, the Cache-Only Key Service provides Salesforce customers with full control and ownership over their encryption keys. If there is ever a need to revoke access to keys stored in a Primus HSM or CloudHSM, customers can simply stop the Securosys Middleware. This action immediately breaks the connection between Salesforce and the HSM, preventing any new key retrievals.

Once disconnected, only the encryption keys already cached within Salesforce remain usable. These cached keys are automatically flushed every 72 hours. However, certain Salesforce operations can trigger cache flushes more frequently—on average, every 24 hours. Additionally, if a data encryption key is destroyed in the HSM, the corresponding cached key in Salesforce becomes invalid immediately. This mechanism ensures that customers retain strict control over data access and can enforce key revocation with predictable timing and impact.

Integration with Securosys Primus HSM and CloudHSM

To support this advanced encryption model, Salesforce allows integration with Hardware Security Modules (HSMs) through a secure middleware. Securosys provides a dedicated Securosys Cache-Only Keys Middleware (abbreviated as Middleware) which enables Salesforce Cache-Only Keys integration with either the on-premise Primus HSM or the cloud-based CloudHSM.

This Middleware is developed, maintained, and supported by Securosys, and is distributed as a Docker container, see Download how to obtain the Middleware. It never accesses the keys within the secure storage of the HSM, merely forwards the requests from Salesforce to your Primus HSM or CloudHSM Partition.

The setup process is straightforward: users deploy the container and configure a YAML file that defines the connection to their Primus HSM or CloudHSM Partition. The Middleware communicates securely with Salesforce using Named Credentials, a native Salesforce feature that handles authentication and secure connections to external services.

For more information on how to deploy the Securosys Middleware see the Installation section.

This architecture ensures that encryption keys generated and stored in a certified HSM can be accessed securely by Salesforce, while allowing customers to retain full control over their key lifecycle.

Cache-Only Keys Workflow with Middleware

When users access encrypted data or add sensitive information to encrypted fields, the Cache-Only Key Service first checks Salesforce’s local encrypted key cache for the corresponding Data Encryption Key (DEK). If the DEK is found in the cache, it is immediately used for the encryption or decryption operation.

1. If the DEK is not available in the cache, the Cache-Only Key Service initiates a call to the Securosys Cache-Only Keys Middleware, using the configured Named Credential for secure authentication. The Middleware checks if the DEK is already created and if not it creates a DEK.
2. The middleware responds with a wrapped Customer Encryption Key (CEK), which is itself encrypted using a Key Encryption Key (KEK) and formatted as a JSON Web Encryption (JWE) object using the BYOK-compatible certificate from Salesforce.
3. Salesforce validates the response and forwards the CEK to the regional Shield Key Management Service (KMS), which uses the private key associated with the HSM-generated certificate to unwrap the CEK.
4. Once unwrapped, the CEK is returned to the encrypted key cache over a TLS-secured connection. The DEK is then unwrapped using the CEK.
5. After decryption, the DEK is re-wrapped with a CEK and stored in the encrypted cache, making it available for future encryption and decryption operations.

Subsequent requests are handled entirely within the encrypted key cache, eliminating the need for additional external key service calls—unless the DEK is rotated, revoked, or the cache is flushed. Once the cache is flushed, either automatically (every 72 hours) or due to certain Salesforce operations (typically every 24 hours), the Cache-Only Key Service will retrieve the DEK again from the Securosys Middleware during the next request.