The Key Broker for Salesforce service provides high-entropy tenant secrets for the Bring Your Own Key (BYOK) feature in Salesforce Shield Platform Encryption. These tenant secrets are protected by a HSM root of trust. The Key Broker service also includes functions to view and manage tenant secrets, including capabilities to revoke Salesforce access, and to restore secrets back to Salesforce.

If you create sandbox organizations, keep in mind that there is a one-to-one relationship between Key Broker services and Salesforce organizations. Making a sandbox copy of an existing organization does not allow the new sandbox to access the Key Broker services associated with the existing organization. Similarly, if you create a Key Broker service associated with a sandbox, that sandbox's production or development organization will not have access to that Key Broker service.