1. Generate a BYOK-Compatible Certificate.To encrypt customer-supplied key material, use Salesforce to generate a 4096-bit RSA certificate. You can generate a self-signed or certificate-authority (CA) signed certificate. Each BYOK-compatible certificate’s private key is encrypted with a derived,org-specific tenant secret key.
2. Generate and Wrap Your Tenant Secret.Generate a random number as your tenant secret. Then calculate an SHA256 hash of the secret, and encrypt it with the public key from the certificate you generated.
3. Upload Your Tenant Secret.Once you have your tenant secret, upload it to Salesforce. The Shield Key Management Service (KMS) uses your tenant secret to derive your org-specific data encryption key.
4. Opt-Out of Key Derivation with BYOK.If you don’t want Salesforce to derive a data encryption key for you, you can opt out of key derivation and upload your own final data encryption key. Opting out gives you even more control of the key material used to encrypt and decrypt your data.