Your suggested change has been received. Thank you.

Free Registration
- Explore Thales Docs

Accounts
Services
Technical Resources
DPoD APIs

All

All
CipherTrust Manager
CipherTrust Application Data Protection (CADP)
CipherTrust Application Key Management (CAKM)
CipherTrust Batch Data Transformation (BDT)
CipherTrust Cloud Key Management (CCKM)
CipherTrust Data Discovery and Classification (DDC)
CipherTrust Data Protection Gateway (DPG)
CipherTrust Database Protection (CDP)
CipherTrust Intelligent Protection (CIP)
CipherTrust Integrations
CipherTrust Migrations
CipherTrust RESTful Data Protection (CRDP)
CipherTrust Transparent Encryption (CTE)
CipherTrust Transparent Encryption Userspace (CTE-U)
CipherTrust Secrets Management (CSM)
CipherTrust Vaulted Tokenization (CT-V)
CipherTrust Vaultless Tokenization (CT-VL)
CTE-Linux
CTE-Windows
CTE-AIX
CTE-K8s
CTE-U
Crypto Command Center
Data Protection on Demand
Luna Cloud HSM
Luna Network HSM
Luna PCIe HSM
Luna USB HSM
OneWelcome Identity Platform
ProtectApp LUKS
ProtectServer 2 HSM
ProtectServer 3 HSM
SafeNet Trusted Access (STA)
SafeNet MobilePASS+
SafeNet MobilePASS+ for Android
SafeNet MobilePASS+ for Chrome
SafeNet MobilePASS+ for macOS
SafeNet MobilePASS+ for iOS
SafeNet MobilePASS+ for WatchOS
SafeNet MobilePASS+ for Windows
SafeNet Synchronization Agent
SafeNet Logging Agent
SafeNet Agent for FreeRADIUS
SafeNet Agent for NPS
SafeNet Agent for Windows Logon
SafeNet Authentication Service Private Cloud Edition (SAS PCE)
SafeNet Remote Logging Agent
SafeNet Keycloak Agent
SafeNet IDPrime Virtual (IDPV)
SafeNet FIDO Key Manager
SafeNet FIDO Key Manager for Android
SafeNet FIDO Key Manager for iOS
SafeNet FIDO Key Manager for Windows

Key Broker for Salesforce

Managing a Key Broker for Salesforce Service

Services
Luna Cloud HSM Services
Luna Cloud HSM Service Integrations
CipherTrust Key Management Services
- Key Broker for Salesforce
  - Adding a Key Broker for Salesforce Service
  - Managing a Key Broker for Salesforce Service
  - Setting a Rotation Policy
  - Migrating Key Broker for Salesforce to CipherTrust Data Security Platform as a Service
- Key Broker for Google Cloud EKM
  - Service Guide
  - Key Setup Guide
  - Key Use Guide
  - Frequently Asked Questions
  - Migrating Key Broker for Google Cloud EKM to CipherTrust Data Security Platform as a Service
- CipherTrust Data Security Platform as a Service
payShield Cloud Services
- payShield Cloud HSM Service
  - Service Overview
  - Prerequisites
  - Getting Started
    - payShield Cloud HSM Configuration/Subscription Options
    - How to Subscribe to the payShield Cloud HSM Service
  - Service Specifications
  - Connecting to the payShield Cloud HSM Service
    - Azure Connection Guide
    - GCP Connection Guide
    - AWS Connectiontion Guide
  - Service Provisioning from DPoD Platform
    - Trial Tier Provisioning
    - Production Tier Provisioning
    - View Sevice Status
  - HSM Management using payShield Manager
    - Preparing for HSM Commission
    - Steps to Commission payShield Manager
    - Adding Another HSM to the Security Domain
    - Transitioning between HSM States via payShield Manager
    - Viewing Network Interfaces in payShield Manager
  - HSM Deprovisioning
  - APPENDIX A - Glossary
  - APPENDIX B - DPoD Errors
- Point-to-Point Encryption
  - Adding a Point-to-Point Encryption Service
  - Using the service
  - P2PE CLI
    - p2pe key
    - p2pe service
    - p2pe tls
  - P2PE REST API
  - P2PE errors
  - Service Details
  - Frequently Asked Questions
Partner Services

Was this document helpful? Yes No

Feedback Sent!

If you like, you can provide additional feedback.

DPoD Documentation
Services
CipherTrust Key Management Services
Key Broker for Salesforce
Managing a Key Broker for Salesforce Service

Managing a Key Broker for Salesforce Service

Once you have created a Key Broker for Salesforce service, you can view information on the service, and all tenant secrets, whether generated through Salesforce or through DPoD. You can also change the status of some tenant secrets, and generate a new tenant secret to replace the current secret.

The Salesforce limit on how often you can generate a data tenant secret (once every 24 hours in production orgs and developer orgs, once every 4 hours in sandbox environments) is also in place for tenant secrets generated by DPoD. If DPoD loses access to Salesforce you can restore it with To reauthorize Salesforce access.

View service information

Navigate to your service through View Services (My Services for application owners). Click the service name.
View the service configuration. The following settings are displayed:

DPoD Settings:
- Service Name
- Service Type
- Created
- Created by
Salesforce settings:
- Salesforce Username
- Salesforce Instance URL
- Salesforce User ID
- Salesforce Organization ID
- Salesforce Display Name
View the listed Tenant Secrets. The following attributes of each secret are displayed:
- Status - Indicates the tenant secret`s capabilities.
- Active - Can be used to encrypt or decrypt data. Only one secret can be active at a time.
- Archived - Cannot encrypt new data. Can decrypt data previous encrypted with this secret when it was active. You can revoke an Archived secret in the Actions column, which destroys the secret in Salesforce only.
- Destroyed - Cannot encrypt or decrypt data. Data encrypted with this secret when it was active cannot be decrypted. This indicates that the secret was destroyed in Salesforce and a copy is not stored in DPoD.
- Revoked - Cannot encrypt or decrypt data. This secret displays as Destroyed in Salesforce. However, this secret still exists on DPoD, and you can change the status from Revoked to Archived in the Actions column.
- Version - The version number of the secret.
- Type - This refers to the kind of data the tenant secret encrypts. Options include: Data, Analytics, Search Index, Deterministic.
- Created At - Date and time the tenant secret was generated. Timestamp in format Day-Month-Year time in 24-hour notation.
- Created By - Username of the Salesforce user who created the tenant secret.
- Last Modified At - Date and time the tenant secret was modified. Timestamp in format Day-Month-Year time in 24-hour notation.
- Modified by - Username of the Salesforce user who modified the tenant secret.
- Actions - Actions you can perform on the secret.
- Revoke - change a secret's status from Archived to Revoked. This deletes the secret from Salesforce, but retains a copy in DPoD.
- Restore - change a secret's status from Revoked back to Archived. This restores the DPoD copy back to Salesforce.

Generate a new tenant secret

Navigate to your service through View Services (My Services for application owners). Click the service name.
Click Generate Secret.
Select the type(s) of secret you would like to generate by enabling the checkboxes. Salesforce allows for one active secret of each type, so you can replace any of the active Data, Analytics, Search index, or Deterministic secrets. Your Salesforce organization must have Analytics and Deterministic secret types enabled to generate those secret types.

This new secret replaces the current active secret, and appears in the DPoD tenant secret list, as well as in the Salesforce interface. The previously active secret appears as "Archived".

Delete the service

If you are viewing a service's details, click the Delete button in the upper right corner.

If you are viewing the service list on the View Services page (My Services for application owners), click the trash can icon in the Actions column for the service you wish to delete.

A confirmation dialog displays.
Confirm the deletion by entering the service name and clicking Delete.

Reauthorize Salesforce access

Navigate to your service through View Services (My Services for application owners). Click the service name.

Under tenant secrets a message is displayed indicating that DPoD has lost access to the Salesforce account.
Click the Reauthorize Access button.

A dialog displays indicating that you will be brought to Salesforce.
Click the Go to Salesforce button.
Log in to Salesforce. You may connect with the original account associated with the service, or another user account within the same organization. If your Salesforce account requires two-factor authentication, you are prompted at this point to verify the identity.
You are asked to allow account access. If the listed permissions are "Access your basic information", "Access and manage your data", and "Perform requests on your behalf at any time", click Allow.

You are returned to DPoD, and your tenant secrets are displayed in the table.

On this page

View service information
Generate a new tenant secret
Delete the service
Reauthorize Salesforce access

DPoD Documentation

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Services
Support
Legal

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

Print

Suggest An Edit

Download this Page

Download Project

Copy Link

Copy Link

Copy Link

Copy Link