Salesforce announces third-party management of encryption keys

Salesforce announces third-party management of encryption keys

Salesforce introduced External Encryption Key Management. The upcoming solution allows Salesforce’s products to be encrypted by third-party partners. As a result, Salesforce has less access to user data, making it easier for customers to comply with European privacy laws.

Salesforce develops a wide range of enterprise software. The organization is well versed in encryption. Salesforce offers multiple options for encryption key management, giving customers a choice in how their data is protected. Customers can either have their encryption keys managed by Salesforce or store their encryption keys on proprietary infrastructure.

Customers that opt for Salesforce trust the organization to keep their encryption keys secure. In theory, Salesforce could misuse the encryption keys to decrypt and share customer data. Although the organization promises not to do so, and the chance of abuse is extremely small, European regulators advise some organizations to house their encryption keys with third-party vendors.

External Encryption Key Management

Salesforce does not support the latter at this time, but change is coming. The organization has been working on a solution that will allow customers to have their encryption keys managed by third parties. The system is called ‘External Encryption Key Management’ and was presented at Dreamforce, Salesforce’s annual conference.

Salesforce did not mention a release date, but the announcement suggests that the solution won’t appear until 2023. Once the system is available, customers can choose one of several approved partners to manage their encryption keys. Current partners include AWS, Atos, Entrust, HashiCorp, Thales and T-Systems.

The system will be available to customers of most Salesforce products, including its software-, platform- and infrastructure-as-a-service solutions. Customers pick a partner, which proceeds to take care of the customer’s encryption keys. The partner makes it difficult for Salesforce to view encryption keys, making it easier for customers to comply with European privacy laws.


The launch is part of Salesforce’s privacy strategy. Earlier, the company launched Hyperforce, a solution that provides European customers with a choice in the regions where their applications run. Like the upcoming encryption system, Hyperforce promotes compliance with privacy laws.

Tip: Salesforce Genie makes a real-time personalized customer experience possible