Your suggested change has been received. Thank you.


Suggest A Change….


Key Broker for Salesforce

Adding a Key Broker for Salesforce Service


Adding a Key Broker for Salesforce Service

Adding a Key Broker for Salesforce Service

During this procedure, you allow the Key Broker service access to a Salesforce user account, so that a secure connection can be established, and tenant secrets can be uploaded. The Key Broker service creates a new BYOK certificate to wrap tenant secrets with, so you do not need to generate one yourself.


You need a Salesforce user account with the following permissions: API Enabled, Manage Encryption Keys, and Modify All Data. The organization must have Platform Encryption enabled; only developer and production organizations, not trial organizations, have Platform Encryption available. Consult Salesforce Documentation for information on configuring these permissions.

You require a DPoD subscriber tenant to provision a CipherTrust Data Security Platform service. See Register a Subscriber Tenant for more information about creating a DPoD subscriber tenant.

Create a Key Broker for Salesforce Service

  1. Log in to your DPoD enterprise tenant as a user with tenant administrator or application owner privileges.

  2. Open the Services tab and select the Add Service heading. Navigate the marketplace categories and click Create Service on the service that you would like to provision. If you have not submitted a Service Elections form or previously completed a trial for the service the option will display as Try Service.

    You are redirected to a Salesforce log in portal.

  3. Log in to Salesforce as a user with the permissions described in Prerequisites.

  4. You are requested to allow DPoD access to Salesforce. If the listed permissions are "Access your basic information", "Access and manage your data", and "Perform requests on your behalf at any time", click Allow.

  5. You are returned to the DPoD "Add Service" wizard. Review the Terms of Service and click Next.

  6. On the Configure Service page, enter the required criteria for the service.


    If you choose to generate the secret later, refer to Managing a SalesForce KeyBroker Service. If you choose to generate a tenant secret immediately, you are prompted to check one or more of the different secret types, which are Data, Deterministic, Analytics, or Search Index. Your Salesforce organization must have Analytics and Deterministic secret types enabled to generate those secret types.

    Click Next.

  7. Review the service summary page, including information about the associated Salesforce account. If you have chosen to generate any tenant secrets, the summary indicates if your secrets generated successfully. If a secret failed to generate, there is a message available indicating the problem. Click Close to exit the wizard.