Your suggested change has been received. Thank you.


Suggest A Change….


Key Broker for Salesforce

Adding a Key Broker for Salesforce Service


Adding a Key Broker for Salesforce Service

Adding a Key Broker for Salesforce Service

During this procedure, you allow the Key Broker service access to a Salesforce user account, so that a secure connection can be established, and tenant secrets can be uploaded. The Key Broker service creates a new BYOK certificate to wrap tenant secrets with, so you do not need to generate one yourself.


You need a Salesforce user account with the following permissions: API Enabled, Manage Encryption Keys, and Modify All Data. The organization must have Platform Encryption enabled; only developer and production organizations, not trial organizations, have Platform Encryption available. Consult Salesforce Documentation for information on configuring these permissions.

Create a Key Broker for Salesforce Service

Under the Services tab, click Add Service and then under the Key Management Services heading click Provision Service. If you have not submitted a Service Elections form click Try Service.

Log in as a Salesforce user with the correct permissions. If your Salesforce account requires two-factor authentication, you are prompted at this point to verify the identity.

You are asked to allow account access. If the listed permissions are "Access your basic information", "Access and manage your data", and "Perform requests on your behalf at any time", click Allow.

You are returned to the Add Key Broker for Salesforce wizard in the DPoD interface.

Review and accept the terms of service, then click Next.

Enter a service name. Choose whether to generate a tenant secret immediately or later. If you choose to generate the secret later, refer to Managing a SalesForce KeyBroker Service. If you choose to generate a tenant secret immediately, you are prompted to check one or more of the different secret types, which are Data, Deterministic, Analytics, or Search Index. Your Salesforce organization must have Analytics and Deterministic secret types enabled to generate those secret types.

Click Next.

Review the summary of your service, including information about the associated Salesforce account. If you have chosen to generate any tenant secrets, the summary indicates if your secrets generated successfully. If a secret failed to generate, there is a message available indicating the problem. Click Close to exit the wizard.