Salesforce Key Management

Salesforce Key Management


Salesforce Key Management is a feature that allows customers to use Salesforce’s Bring Your Own Key (BYOK) feature to encrypt Salesforce data at rest. Netskope today provides customers the option of rotating/managing these keys from the Netskope console. Note that this feature is now deprecated, which means Netskope will not support this capability in any new commercial or federal Netskope DC.

Note that deprecation of this feature only means that you cannot rotate/manage the encryption keys from Netskope. You can continue using the BYOK feature within Salesforce without impacting Netskope’s API Data Protection for Salesforce.

Fine prints as follows:

  • For new Salesforce app instances, the UI will not have a BYOK checkbox. New instances cannot enable BYOK.
  • For existing Salesforce app instances that have not enabled BYOK, cannot enable it going forward.
  • Existing Salesforce app instances that are using BYOK, can disable BYOK. However, once disabled, you cannot re-enable it.
  • Salesforce Key Management page under Salesforce API-enabled Protection dashboard will not be available for tenants who have not enabled BYOK.
  • For existing Salesforce app instances that have enabled BYOK, the feature will continue to work as expected.

Salesforce Key Management allows you to use Salesforce’s Bring Your Own Key (BYOK) feature, which enables you to generate and provide your own tenant secret to derive encryption keys for increased security.

Your Salesforce account must have the Manage Encryption Keys administrative permissions for the user’s parent profile in order to use this feature. You can set this permission from the SETUP > ADMINISTRATION > Users > Profiles page of the Lightning Experience UI of Salesforce. Select the custom administrator profile you created as part of Salesforce API configuration. Edit the profile and select the Administrative Permissions > Manage Encryption Keys checkbox.


The Key Management configuration page appears on the API Data Protection dashboard page only if you have enabled the BYOK checkbox during the Salesforce app instance setup. Ensure that you have enabled this checkbox before proceeding further.

  1. Log in to the Netskope tenant UI.
  2. Navigate to API Data Protection and click the desired Salesforce app instance.
  3. On the top-right of the Files & Users page, click Key Management.
  4. The UI prompts to upload a certificate to enable key management. Click upload certificate.
  5. Select the certificate and click Upload.


    Upload a Privacy Enhanced Mail (PEM) encoded certificate only.

    What is the purpose of this certificate? The tenant secret that is uploaded to Salesforce while generating a new tenant secret is encrypted. The public key derived from this certificate is used to encrypt the 256-bit tenant secret generated from the Hardware Security Module (HSM). This certificate should be BYOK compatible. You can follow the Salesforce article described here. Before you upload the certificate, rename the file extension to .pem.

  6. Back on the Key Management page, click Generate New Key to create a new tenant secret.

    The new tenant secret is used to derive the encryption key for future data encryption requests. The archived tenant secret is used to derive decryption key for previously encrypted data.


    • When a new tenant secret is generated, the active tenant secret is archived. To destroy an archived tenant secret, click the trash icon.
    • Tenant secret status can either be active, archived, or destroyed.

The key management table displays a lit of keys (active, archived, destroyed). The table displays the key ID, version, status, key manager, creation date, and last modified date.

Share this Doc

Salesforce Key Management

Or copy link

In this topic ...