Salesforce Cache-Only Key Service

Salesforce is a leading cloud-based customer relationship management (CRM) platform that delivers a comprehensive suite of applications for sales, service, marketing, analytics, and more. By enabling businesses to manage customer interactions, operational workflows, and data in a unified platform, Salesforce drives efficiency and innovation across industries. Its cloud-native architecture, support for AI, and extensive APIs make it a powerful foundation for digital transformation.

Salesforce Cache-Only Key Service (abbreviated to Cache-Only Keys) is an enhancement to Salesforce Shield Platform Encryption designed for organizations that require high performance, reliability, and strong control over their encryption key lifecycle. Unlike Salesforce BYOK (where encryption keys are fetched from an external KMS/HSM once and are permanently imported into the Salesforce Organization), Cache-Only Keys only temporarily caches the keys within Salesforce.

This allows enterprises to keep control over the key lifecycle (unlike BYOK), while at the same time ensuring faster operations and improved fault tolerance (unlike systems that require every operation to go via an external KMS or HSM). If there is ever a need to revoke Salesforce's access to the keys stored in a Primus HSM or CloudHSM, customers can simply stop the Securosys proxy or otherwise cut off the connection to the HSM Partition. This prevents Salesforce from performing any new key retrievals.

Once disconnected, only the encryption keys already cached within Salesforce remain usable. These cached keys are automatically flushed every 72 hours. However, certain Salesforce operations can trigger cache flushes more frequently—on average, every 24 hours. Additionally, if a data encryption key is destroyed in the HSM, the corresponding cached key in Salesforce becomes invalid immediately. This mechanism ensures that customers retain strict control over data access and can enforce key revocation with predictable timing and impact.

Integration with Securosys Primus HSM and CloudHSM

Securosys provides a dedicated Securosys Proxy for Salesforce Cache-Only Key Service (abbreviated as Cache-Only Key Proxy) that implements Salesforce's API. This enables Salesforce Cache-Only Keys to use an on-premise Primus HSM or a CloudHSM as an external KMS.

This proxy is developed, maintained, and supported by Securosys, and is distributed as an easy-to-deploy Docker container. The proxy is responsible for translating and forwarding the requests from Salesforce to your Primus HSM or CloudHSM Partition.

The setup process is straightforward: users deploy the proxy container and configure it with a YAML file that defines the connection to their Primus HSM or CloudHSM Partition. The proxy communicates securely with Salesforce using Named Credentials, a native Salesforce feature that handles authentication and secure connections to external services. On the other side, the proxy communicates securely with the Primus HSM using its JCE API.

For more information on how to deploy the Securosys proxy see the Installation section.

Cache-Only Keys Workflow

When users access encrypted data or add sensitive information to encrypted fields in Salesforce, the Cache-Only Key Service checks Salesforce's local key cache for the corresponding Data Encryption Key (DEK). If the DEK is found in the cache, it is immediately used for the encryption or decryption operation. If the DEK is not available in the cache, the flow proceeds as follows:

1. The Cache-Only Key Service initiates a call to the Securosys Cache-Only Key Proxy.
   • This call is made using Salesforce's "Named Credential" feature, using one of its supported authentication protocols.
2. The proxy checks if a key with the hard coded label already exists. If not, it creates a new key. This is the DEK.
   • Note: Currently, the key label is hard coded to DEK_Salesforce. The values of the "Unique Key Identifier" that you set in Salesforce are ignored.
3. The proxy returns the DEK to Salesforce.
   • The DEK is wrapped for the Salesforce BYOK Certificate. This public key is downloaded once from the Salesforce portal, and configured in the proxy.
   • The wrapping uses hybrid public key encryption: The DEK (an AES key) is wrapped using a Content Encryption Key (CEK, another AES key). The CEK is a session key, and is freshly generated for each response. The CEK in turn is wrapped using RSA-OAEP with the public key from the Salesforce BYOK Certificate.
   • This is done using the JSON Web Encryption (JWE) standard (RFC 7516).
4. Salesforce unwraps the DEK using the private key of to the BYOK Certificate (which Salesforce holds).
5. Salesforce keeps the DEK in its cache and uses it for encyption/decryption operations.
6. Eventually, Salesforce invalidates its cache.

Subsequent operations are handled by the key cache, eliminating the need for additional external key service calls—until the DEK is rotated within Salesforce, revoked, or the cache is flushed. Once the cache is flushed, either automatically (every 72 hours) or due to certain Salesforce operations (typically every 24 hours), the Cache-Only Key Service will retrieve the DEK again from the Securosys proxy during the next request.

Benefits

• Maintain control over the key lifecycle: Unlike with Salesforce BYOK (where keys are permanently imported into Salesforce) Cache-Only Keys only imports the keys into Salesforce temporarily. When needed, you can cut off Salesforce's access to your HSM.
• High performance: By letting Salesforce cache the keys, performance is higher than if every operation had to make a network request to the remote Primus HSM.

Next Steps

• Read the quickstart guide for an overview of the installation steps.
• Follow the installation guide to set up Cache-Only Keys with a Primus HSM.
• Download the Securosys Cache-Only Key Proxy.

References

• Salesforce Cache-Only Key Service documentation
• Salesforce Cache-Only Key Wrapper GitHub repository