Managing Salesforce Tenant Secrets
This section describes how to manage Salesforce tenant secrets on CCKM. The Salesforce tenant secrets are referred to as keys on the CCKM GUI.
When a new tenant secret is created, its status becomes ACTIVE
, and the status of the previous tenant secret becomes ARCHIVED
.
When an ARCHIVED
tenant secret is destroyed, its status becomes DESTROYED
. A destroyed tenant secret can either be imported or deleted. When a destroyed tenant secret is imported, its status changes to ARCHIVED
.
Before proceeding, you must have a Salesforce organization added to the CCKM. Refer to Salesforce Organizations for details.
Salesforce Tenant Secret Types
CCKM lets you manage three types of tenant secrets, Salesforce Native, Bring Your Own Key (BYOK) or cache-only key.
Salesforce Native tenant secrets are generated directly on Salesforce.
BYOK tenant secrets are keys which CCKM creates from CipherTrust Manager or DSM, and uploads to Salesforce through a secure channel. Traffic for BYOK operations only takes place from CCKM to Salesforce and not the reverse direction. BYOK keys can act either as key encryption keys or data encryption keys on Salesforce, depending on whether you select the key derivation option.
Cache-only key tenant secrets are keys which CCKM creates from CipherTrust Manager or DSM, and uploads to Salesforce, which stores the key material in the encrypted key cache to encrypt or decrypt data on demand. After Salesforce flushes its cache and a new cryptographic request is made, Salesforce fetches key material from a cache-only key endpoint on CCKM. These key transmissions occur in a secure tunnel.
You can perform the following operations with Salesforce tenant secrets:
Key Creation Methods and Sources
Methods to create Salesforce keys using CCKM are:
Creating/Uploading New Key Material: Add key material by creating and uploading new source key or creating new native key. The key source can be:
CipherTrust (Local): A new key is first created on the CipherTrust Manager. Then, this key material is uploaded to Salesforce to create a new Salesforce key. As the key material is uploaded from the CipherTrust Manager, the key origin is
CCKM
.Salesforce (Native): A new key is directly created on Salesforce using the native Salesforce application. The key origin is
NATIVE
.Vormetric DSM: A new DSM key is first created on the CipherTrust Manager. Then, this key material is uploaded to Salesforce to create a new Salesforce key. As the key material is uploaded from the CipherTrust Manager, the key origin is
CCKM
.
Cloning Existing Key Material: Clone key material from an existing key to create a new key. The key sources can be:
CipherTrust (Local): An existing local CipherTrust Manager key is uploaded to Salesforce to create a new Salesforce key. As the key material is uploaded from the CipherTrust Manager, the key origin is
CCKM
.Vormetric DSM: An existing DSM key is first cloned on the CipherTrust Manager. Then, the key material is uploaded to the Salesforce cloud to create a new Salesforce key. As the key material is uploaded from the CipherTrust Manager, the key origin is
CCKM
.
Creating/Uploading New Key Material
To add a Salesforce key by creating/uploading new key material:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Salesforce.
Click Add Key. The Select Material Origin screen of the Add Salesforce Key wizard is displayed.
Under Select Method, select Create/Upload New Key Material. The Select Source section appears. Depending on your requirements, select from the following sources:
CipherTrust (Local): Refer to Uploading CipherTrust (Local) Key Material for details.
Salesforce (Native): Refer to Creating Salesforce (Native) Key Material for details.
Vormetric DSM: Refer to Uploading Vormetric DSM Key Material for details.
Refer to Key Creation Methods and Sources for details on key sources.
Uploading CipherTrust (Local) Key Material
Upload the local key material using the CipherTrust Manager to configure the source key.
Select Material Origin > Select CipherTrust Key
Select CipherTrust (Local).
Click Next. The Configure CipherTrust Key screen is displayed.
Configure CipherTrust Key
Enter a Key Name. A new key with this name will be created on the CipherTrust Manager and its key material will be uploaded to Salesforce cloud.
Click Next.
Configure Salesforce Key
Select the desired Organization from the drop-down list. The new key will be uploaded to this organization.
Select the Tenant Secret Type from the drop-down list. The options are Data, EventBus, SearchIndex, DeterministicData, and Analytics.
(Optional) Select either of the following check boxes depending on your requirements:
Use Key Derivation. This option is for BYOK tenant secrets only.
If you do not want to select Use Key Derivation, ensure that the Allow BYOK to Opt Out of Key Derivation option is turned ON (on Salesforce, Security > Platform Encryption > Advanced Settings), otherwise, the BYOK upload fails.
Enabling the Allow BYOK to Opt Out of Key Derivation option disables the Salesforce key derivation process and allows you to use your uploaded key material as the final encryption key.
However, if you want to select Use Key Derivation, ensure that the Allow BYOK to Opt Out of Key Derivation option is turned OFF on Salesforce.
Make this a cache-only key. When you select this check box, the Named Credential field is displayed.
If you select Make this a cache-only key, ensure that the Allow Cache-Only Keys with BYOK option is turned ON on Salesforce. Enabling this option lets Salesforce fetch remotely-stored encryption keys from an endpoint that you provide.
For a non cache-only key (that is, when Make this a cache-only key is not selected), a BYOK-compatible certificate is mandatory. Refer to the next step.
Select the desired Certificate from the drop-down list.
The certificate that you select must be a BYOK-compatible 4096-RSA certificate. It can be a self-signed or CA-signed certificate. If the certificate does not meet these requirements, an error occurs and the key upload fails. Refer to Generate a BYOK-Compatible Certificate for details.
(Required if you selected Make this a cache-only key) Select the desired Named Credential from the drop-down list.
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY and DESTINATION KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click Close. The Add Salesforce Key wizard is closed.
The newly created key is displayed in the list of Salesforce keys.
Creating Salesforce (Native) Key Material
Create the key material directly using native Salesforce application.
Select Material Origin > Select Source
Select Salesforce (Native).
Click Next. The Configure Salesforce Key screen is displayed.
Configure Salesforce Key
Select the desired Organization from the drop-down list.
Select the key Type from the drop-down list. The options are Data, EventBus, SearchIndex, DeterministicData, and Analytics.
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN and NATIVE KEY sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the NATIVE KEY section and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the NATIVE KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.
Click Close. The Add Salesforce Key wizard is closed.
The newly created key is displayed in the list of Salesforce cloud keys. The origin of the key is NATIVE
.
Uploading Vormetric DSM Key Material
Upload the key material using Vormetric DSM to configure the source key.
Select Material Origin > Select Source
Select Vormetric DSM.
Click Next. The Configure DSM Key screen is displayed.
Configure DSM Key
Enter a DSM Key Name. A new key with this name will be created on the DSM and its key material will be uploaded to the Salesforce cloud.
(Optional) Provide a Description for the key.
Select a DSM Domain for the key. The drop-down list shows the DSM domains linked with the configured DSM connection.
Click Next.
Configure Salesforce Key
Select the desired Organization from the drop-down list. The new key will be uploaded to this organization.
Select the key Type from the drop-down list. The options are Data, EventBus, SearchIndex, DeterministicData, and Analytics.
(Optional) Select either of the following check boxes depending on your requirements:
Use Key Derivation. This option is for BYOK tenant secrets only.
If you do not want to select Use Key Derivation, ensure that the Allow BYOK to Opt Out of Key Derivation option is turned ON (on Salesforce, Security > Platform Encryption > Advanced Settings), otherwise, the BYOK upload fails.
Enabling the Allow BYOK to Opt Out of Key Derivation option disables the Salesforce key derivation process and allows you to use your uploaded key material as the final encryption key.
However, if you want to select Use Key Derivation, ensure that the Allow BYOK to Opt Out of Key Derivation option is turned OFF on Salesforce.
Make this a cache-only key. When you select this check box, the Named Credential field is displayed.
If you select Make this a cache-only key, ensure that the Allow Cache-Only Keys with BYOK option is turned ON on Salesforce. Enabling this option lets Salesforce fetch remotely-stored encryption keys from an endpoint that you provide.
For a non cache-only key (that is, when Make this a cache-only key is not selected), a BYOK-compatible certificate is mandatory. Refer to the next step.
Select the desired Certificate from the drop-down list.
The certificate that you select must be a BYOK-compatible 4096-RSA certificate. It can be a self-signed or CA-signed certificate. If the certificate does not meet these requirements, an error occurs and the key upload fails. Refer to Generate a BYOK-Compatible Certificate for details.
(Required if you selected Make this a cache-only key) Select the desired Named Credential from the drop-down list.
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY and DESTINATION KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click Close. The Add Salesforce Key wizard is closed.
The newly created key is displayed in the list of Salesforce cloud keys.
Cloning Existing Key Material
To add a new Salesforce key by cloning key material existing on the CipherTrust Manager or the DSM:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Salesforce.
Click Add Key. The Select Material Origin screen of the Add Salesforce Key wizard is displayed.
Under Select Method, select Clone Existing Key Material. The Select Source section appears. Depending on your requirements, select from the following sources:
CipherTrust (Local): Refer to Cloning CipherTrust (Local) Key Material for details.
Vormetric DSM: Refer to Cloning Vormetric DSM Key Material for details.
Refer to Key Creation Methods and Sources for details on these key sources.
Cloning CipherTrust (Local) Key Material
Clone and upload the local key material using the CipherTrust Manager to configure the source key.
Select Material Origin > Select Source
Select CipherTrust (Local).
Click Next. The Select CipherTrust Key screen is displayed.
Select CipherTrust Key
Select the desired key from the CipherTrust Key Name drop-down list. This field shows the available local CipherTrust Manager keys.
Click Next. The Configure Salesforce Key screen is displayed.
Configure Salesforce Key
Select the desired Organization from the drop-down list. The new key will be uploaded to this organization.
Select the key Type from the drop-down list. The options are Data, EventBus, SearchIndex, DeterministicData, and Analytics.
(Optional) Select either of the following check boxes depending on your requirements:
Use Key Derivation. This option is for BYOK tenant secrets only.
If you do not want to select Use Key Derivation, ensure that the Allow BYOK to Opt Out of Key Derivation option is turned ON (on Salesforce, Security > Platform Encryption > Advanced Settings), otherwise, the BYOK upload fails.
Enabling the Allow BYOK to Opt Out of Key Derivation option disables the Salesforce key derivation process and allows you to use your uploaded key material as the final encryption key.
However, if you want to select Use Key Derivation, ensure that the Allow BYOK to Opt Out of Key Derivation option is turned OFF on Salesforce.
Make this a cache-only key. When you select this check box, the Named Credential field is displayed.
If you select Make this a cache-only key, ensure that the Allow Cache-Only Keys with BYOK option is turned ON on Salesforce. Enabling this option lets Salesforce fetch remotely-stored encryption keys from an endpoint that you provide.
For a non cache-only key (that is, when Make this a cache-only key is not selected), a BYOK-compatible certificate is mandatory. Refer to the next step.
Select the desired Certificate from the drop-down list.
The certificate that you select must be a BYOK-compatible 4096-RSA certificate. It can be a self-signed or CA-signed certificate. If the certificate does not meet these requirements, an error occurs and the key upload fails. Refer to Generate a BYOK-Compatible Certificate for details.
(Required if you selected Make this a cache-only key) Select the desired Named Credential from the drop-down list.
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the DESTINATION KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.
Click Close. The Add Salesforce Key wizard is closed.
The newly created key is displayed in the list of Salesforce keys.
Cloning Vormetric DSM Key Material
Clone and upload the DSM key material using the CipherTrust Manager to configure the source key.
Select Material Origin > Select Source
Select Vormetric DSM.
Click Next. The Select DSM Key screen is displayed.
Select DSM Key
Select the desired key from the DSM Key Name drop-down list. This field displays the available DSM keys.
Click Next. The Configure Salesforce Key screen is displayed.
Configure Salesforce Key
Select the desired Organization from the drop-down list. The new key will be uploaded to this organization.
Select the key Type from the drop-down list. The options are Data, EventBus, SearchIndex, DeterministicData, and Analytics.
(Optional) Select either of the following check boxes depending on your requirements:
Use Key Derivation. This option is for BYOK tenant secrets only.
If you do not want to select Use Key Derivation, ensure that the Allow BYOK to Opt Out of Key Derivation option is turned ON (on Salesforce, Security > Platform Encryption > Advanced Settings), otherwise, the BYOK upload fails.
Enabling the Allow BYOK to Opt Out of Key Derivation option disables the Salesforce key derivation process and allows you to use your uploaded key material as the final encryption key.
However, if you want to select Use Key Derivation, ensure that the Allow BYOK to Opt Out of Key Derivation option is turned OFF on Salesforce.
Make this a cache-only key. When you select this check box, the Named Credential field is displayed.
If you select Make this a cache-only key, ensure that the Allow Cache-Only Keys with BYOK option is turned ON on Salesforce. Enabling this option lets Salesforce fetch remotely-stored encryption keys from an endpoint that you provide.
For a non cache-only key (that is, when Make this a cache-only key is not selected), a BYOK-compatible certificate is mandatory. Refer to the next step.
Select the desired Certificate from the drop-down list.
The certificate that you select must be a BYOK-compatible 4096-RSA certificate. It can be a self-signed or CA-signed certificate. If the certificate does not meet these requirements, an error occurs and the key upload fails. Refer to Generate a BYOK-Compatible Certificate for details.
(Required if you selected Make this a cache-only key) Select the desired Named Credential from the drop-down list.
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY and DESTINATION KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click Close. The Add Salesforce Key wizard is closed.
The newly created key is displayed in the list of Salesforce cloud keys.
Viewing Salesforce Keys
The Salesforce Keys page shows the list of Salesforce keys available on the CipherTrust Manager. Search for keys by Organization ID or Organization Name. The Salesforce keys within an organization are categorized by data types.
To view the Salesforce keys:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Salesforce. The list of available Salesforce keys is displayed. The Salesforce Keys page displays the following details:
Field Description Organization Name Name of the Salesforce organization where the key is created. Organization ID ID of the Salesforce organization where the key is created. Data Type Type of the key data. The data type can be:
• Data in Salesforce
• Deterministic
• Search Index
• Analytics
• Event BusVersion Latest version of the Salesforce key. Status State of the Salesforce key. The status can be:
• Active
• Archived
• DestroyedOrigin Source of the key material. The origin of the key can be:
• CCKM: Key material is created on CCKM.
• Native: Key material is created on the cloud.
• External (Unknown): Source of the key material is unknown. It is different than CCKM and the native cloud.Cache Only Whether the key is a cache-only key. A cache-only key is indicated by a check mark (). Backup Whether the key material is downloaded from the Salesforce cloud to the CipherTrust Manager. A check mark () shows that the key material is downloaded. The import operation enabled for such keys.
A blank column indicates that the key material of the particular key is not downloaded from Salesforce. The import operation is not available for such keys.Creation Date Date and time when the Google Cloud key is created.
To view keys of a particular type under a Salesforce organization, click the expand icon () to the left of the Organization Name link.
Sometimes, you might notice certain Salesforce keys are displayed as grayed out. This happens when the keys are no longer accessible. For example, when:
Any cloud permissions on the keys are changed. The keys are no longer accessible from the Salesforce cloud connection.
Connection is changed in KMS. The new connection does not have permissions to access the keys.
Refreshing Salesforce Keys
Refreshing is the process of downloading keys created in Salesforce organizations to CCKM. You can refresh keys from all Salesforce organizations at once.
To refresh keys:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Salesforce. The Salesforce Keys page is displayed. This page displays the list of Salesforce keys.
Click Refresh All. The This may take a while... message is displayed.
Note
Refresh all keys is a time intensive operation that could take several hours or days to complete. It will continue running in the background.
Click Refresh All to continue.
A message Refresh started... is displayed on the screen. To cancel the refresh, click Cancel Refresh.
The refreshed keys are listed on the Cloud Keys > Salesforce > Salesforce Keys page.
Viewing Versions of a Key
To view the versions of a key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Salesforce.
Under Organization Name, click the expand icon ( to the left of the desired key type. The key version details are displayed:
Field Description Data Type Data type of the key. Version Version number of the key. All versions of the key are listed, each on a separate row. Status State of the Salesforce key. The status can be:
• Active
• Archived
• DestroyedOrigin Source of the key material. The origin of the key can be:
• CCKM: Key material is created on CCKM.
• Native: Key material is created on the cloud.
• External (Unknown): Source of the key material is unknown. It is different than CCKM and the native cloud.Cache Only Whether the key is a cache-only key. A cache-only key is indicated by a check mark (). Backup Whether the key material is downloaded from the Salesforce cloud to the CipherTrust Manager. A check mark () shows that the key material is downloaded. The import operation enabled for such keys.
A blank column indicates that the key material of the particular key is not downloaded from Salesforce. The import operation is not available for such keys.Creation Date Date and time when the Google Cloud key is created.
Alternatively, click the overflow icon () corresponding to the desired key, click View/Edit, and expand KEY VERSIONS to view key version details. You can also click the Organization Name, Organization ID, or Data Type link corresponding to desired key to view the key version details.
Destroying a Key Version
If required, you can destroy archived versions of a key. A destroyed version cannot operate on data. Destroy tenant secrets and key material if you no longer need access to related data. After a key material is destroyed, related data cannot be accessed unless you import previously exported key material.
A destroyed key version can be imported or deleted later.
To destroy an archived key version:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Salesforce.
Click the expand icon () to the left of the desired key.
Click the overflow icon () corresponding to the desired archived version.
Click Destroy. The Destroy Key dialog box is displayed.
Click Destroy to confirm the action.
The state of the key version changes to Destroyed.
Importing a Destroyed Key Version
If required, you can import a destroyed version of a key. After a version is imported, its status becomes archived.
To import a key version:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Salesforce.
Click the expand icon () to the left of the desired key.
Click the overflow icon () corresponding to the desired destroyed version.
Click Import. The Import Key dialog box is displayed.
Click Import to confirm the action.
The state of the key version changes to Archived.
Deleting a Key Backup
You can delete the backup of a key from CCKM. After the key backup is deleted, it cannot be imported into the Salesforce cloud. Only the backup of a destroyed key can be deleted.
To delete a key backup:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Salesforce.
Click the expand icon () to the left of the desired key.
Click the overflow icon () corresponding to the desired destroyed version.
Click Delete. The Delete Backup dialog box is displayed.
Select I wish to delete the backup of this key.
Click Delete Key Backup to confirm the action.
The deleted key backup cannot be imported to the Salesforce cloud.
Activating a Cache-Only Key
Cache-only keys allow for an additional key status transition on Salesforce, from Destroyed to Active. This causes Salesforce to fetch the cache-only key material from CCKM.
The Salesforce API only allows CCKM to activate the latest version of the cache-only key. You cannot activate older versions.
To activate a cache-only key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Salesforce.
Click the expand icon () to the left of the desired key.
Click the overflow icon () corresponding to the latest key version.
Click Activate.