Salesforce BYOK

this document provides information on configuring {{futurex}} hardware security modules (hsms) with salesforce bring your own key (byok) using {{futurex}} excrypt manager for additional questions related to your hsm, see the relevant user guide what is salesforce? "salesforce is the world’s leading customer relationship management technology, helping you build and improve your customer relationships our starter suite makes it easy for small businesses to get organized and grow with the #1 ai crm and we’re helping organizations of all sizes unify their data and re imagine their business for the world of ai with agentforce, providing autonomous ai agents that take action for your employees and customers " https //www salesforce com/products/what is salesforce/ beyond core crm functionality, salesforce includes a broad ecosystem of products such as sales cloud service cloud marketing cloud platform services (including the salesforce appexchange) these enable organizations to extend their capabilities through custom applications, integrations, and third party solutions for security focused deployments, salesforce supports byok using shield platform encryption byok allows organizations to maintain control over their data encryption keys by managing those keys externally, such as with a {{vectera}} hsm, and securely providing a wrapped tenant secret to salesforce this ensures that encrypted data in salesforce is protected by keys fully controlled by the customer what is byok? "when you supply your own tenant secret or data encryption key (dek), you get the benefits built into salesforce shield platform encryption, plus the extra assurance that comes from exclusively managing your own key material depending on the feature, byok supports derived keys and deks to be compatible with salesforce byok, use a pkcs#8 encrypted, base64 encoded 4096 rsa key pair with appropriate headers and footers " https //help salesforce com/s/articleview?id=xcloud security pe byok setup htm\&type=5 using the hsm for byok integration using the hsm for salesforce byok salesforce byok allows customers to control the encryption keys that protect their data in this integration, the aes 256 tenant secret is generated externally, while the hsm is used to securely manage and wrap the key using salesforce’s public rsa key by leveraging the hsm, organizations can maintain full control over their tenant secrets and upload them to salesforce guardian integration the {{guard}} introduces mission critical viability to core cryptographic infrastructure, including centralization of device management elimination of points of failure distribution of transaction loads group specific function blocking user defined grouping systems see the applicable guide in the {{futurex}} portal for configuring hsms with the {{guard}} , including pkcs #11 and cng configuration