Newer Version Available
DataEncryptionKey
DEKs are used to encrypt and decrypt data. They reside in either the Salesforce database or in an external KMS. They’re created by root keys, and when persisted, wrapped by root keys as well.
Supported Calls
create(), describeSObjects(), query()
Special Access Rules
This object is available as part of the Shield and Salesforce Platform Encryption add-on subscriptions.
Fields
| Field | Details |
|---|---|
| CreatedBy |
|
| DataEncryptionKeyCertName |
|
| Description |
|
| DoesUseKeyDerivation |
|
| LastModifiedBy |
|
| RootKeyIdentifier |
|
| RootKeyKmsIdentifier |
|
| SecretValue |
|
| SessionToken |
|
| Source |
|
| Status |
|
| Type |
|
| Version |
|
Usage
Three functions are available: describeSObjects(),create(), and query()
- Describe DataEncryptionKey with describeSObjects()
-
To get information about the ExternalEncryptionRootKey sObject, use describe.
1curl --location 'https://DOMAIN.my.salesforce.com/services/data/v62.0/sobjects/'\ 2DataEncryptionKey/describe' 3--header 'Content-Type: application/json' \ 4--header 'Authorization: Bearer TOKEN'On success, the response is the full JSON description of the DataEncryptionKey sObject.
- Create a DEK with create()
-
To create a DEK, use a POST method to create an sObject of type DataEncryptionKey. Specify a Type of search index (case insensitive).
1curl --location 'https://DOMAIN.my.salesforce.com/services/data/v63.0/sobjects/DataEncryptionKey' \ 2--header 'Content-Type: application/json' \ 3--header 'Authorization: Bearer TOKEN' \ 4--data '{ 5 "Type": "search index" 6}'On success, the response is be similar to
1{ 2 "errors" : [ ], 3 "success" : true 4}On error, the response is similar to
1"errors" : [ 2 // Example of one error object 3 { 4 "statusCode" : "MALFORMED_ID", 5 "message" : "Contact ID: id value of incorrect type: 001xx000003DGb2999", 6 "fields" : [ 7 "Id" 8 ] 9 }, 10 //Second error object, 11 //Third error object 12] - List DEKs with query()
-
To retrieve DEKs, use query or queryAll on the DataEncryptionKey sObject. You must specify a limit for the query. All DEKs are retrieved, including archived DEKs.
1curl --location 'https://DOMAIN.my.salesforce.com/services/data/v63.0/queryAll/?q=SELECT+FIELDS(ALL)+FROM+DataEncryptionKey+LIMIT+10' \ 2--header 'Authorization: Bearer TOKEN'On success, the response is be similar to
1{ 2 "totalSize": (COUNT), 3 "done": true, 4 "records": [ 5 { 6 "attributes": { 7 "type": "DataEncryptionKey", 8 "url": "/services/data/v63.0/sobjects/DataEncryptionKey/(ID)" 9 }, 10 ATTRIBUTE LIST 11 },On error, the response is similar to
1[ 2 { 3 "message": "ERROR MESSAGE", 4 "errorCode": "ERROR CODE" 5 } 6] - Upload a DEK
-
To upload a data encryption key generated outside of Salesforce, first create a certificate that’s compatible with customer-supplied key material. See Generate a BYOK-Compatible Certificate in Salesforce Help.
Retrieve the DataEncryptionKey.SessionToken value with a list query on the DEK. A new temporary DEK is created. The session token is displayed under the sessionToken column.
Retrieve the BYOK-compatible certificate that you created for your key.
Generate a data encryption key. You can use this script to generate a customer-supplied data encryption key. Alternatively, generate a key using a method of your choice. It must meet the specifications outlined in Bring Your Own Key Overview.
Upload your generated SecretValue and the session token associated with your certificate. Include the unique name of the compatible certificate. The key material is uploaded in encrypted form.1DataEncryptionKey secret = new DataEncryptionKey (); 2 secret.description = 'New uploaded secret'; 3 secret.type= 'Search Index'; 4 secret.SecretValue = ... 5 EncodingUtil.base64Decode('...');; 6 secret.SecretValueCertificate = ...; 7 secret.SecretValueHash = ... 8 EncodingUtil.base64Decode('...'); 9 insert secret;To validate that the data encryption key is uploaded, retrieve a list of all DEKs using query or queryAll on the DataEncryptionKey object.