Retain Control of Your Keys with the Cache-Only Key Service (Generally Available)

Get more control over the chain of custody of your key material. With the Platform Encryption: Cache-Only Key Service, you can store your key material outside of Salesforce using a key service of your choice. The Cache-Only Key Service fetches the key material on demand. Your key service transmits your key material over a secure channel that you configure. It’s then encrypted and stored in the cache for immediate encrypt and decrypt operations.

Where: This change applies to Salesforce Classic, Lightning Experience, and all versions of the Salesforce app in Enterprise, Performance, Unlimited, and Developer editions.

Who: Available to customers who purchased the Cache-Only Key Service add-on subscription. To purchase, contact your account executive.

Why: The Cache-Only Key Service addresses a unique need for non-persisted key material. Cache-only keys aren’t persisted in any Salesforce system of record or backups. Instead, the service fetches key material from an on-premises key service, cloud-based key service, or cloud-based key brokering vendor of your choice. After your key material is fetched, it’s encrypted and stored in the cache for encrypt and decrypt operations.

Illustration of how key material passes from a customer's key service to Salesforce over secured channels.

You can destroy and rotate key material on demand and track cache-only key events, giving you full control of your key material.

How: Creating and hosting cache-compatible keys requires some setup in and outside of Salesforce. After you generate and prepare your key material, create a named credential to use as a secure channel over which the service fetches the key material. Then configure your connection on the Key Management page in Setup.

Use the Callout Check page to check that the callout connection to your key service is working. If it isn’t, the page gives you the information you need to make the appropriate adjustments. You can also use the Callout Check page to monitor your connection and quickly respond to key service interruptions that could prevent the service from fetching your keys.

New in Spring ’19

  • Rotate, generate, and update cache-only keys programmatically using Enterprise API.
  • Opt in to replay detection for added security. Update your key service to accept nonces as a part of cache-only key callout. Then turn on Enable Replay Detection for Cache-Only Keys on the Advanced Settings page in Setup.
  • Quickly update your cache-only keys’ associated certificates and named credentials. On the Key Management page, click Details. In the Callout Connection Details section, click Edit. Choose your callout’s up-to-date Certificate Unique Name and Named Credentials, and save. You can also update these fields through Enterprise API.