--- title: "Exporting Fortanix DSM Keys to Cloud Providers for BYOK - Salesforce" slug: "exporting-fortanix-data-security-manager-keys-to-cloud-providers-for-byok-salesforce" updated: 2026-06-02T09:57:30Z published: 2026-06-02T09:57:30Z --- > ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # Exporting Fortanix DSM Keys to Cloud Providers for BYOK - Salesforce ## 1.0 Introduction The article describes the steps required to export **Fortanix-Data-Security-Manager (DSM)**keys to **Salesforce**that support BYOK for server-side encryption. ## 2.0 Prerequisites Ensure the following: 1. A Salesforce account with the following permissions: The account does not need to be an administrator account. The credentials of this account will be used for plugin operations. Perform the following steps to create a permission set with the above-mentioned permissions and assign a user: 1. Certificate Management 2. Encryption Key Management 3. Customize Application 1. From **Setup**, enter **Permission Sets** in the **Quick Find** box, then select **Permission Sets**. 2. Click **New**. 3. Create a label for the set of permissions, for example, **Key Manager**. The API name populates with a variation of your chosen label. 4. Click **Save**. 5. In the System section of the **Key Manager** page, select **System Permissions**. 6. Click **Edit**, enable the following permissions, and click **Save**. - **Customize Application** - **Manage Encryption Keys** - **Manage Certificates** 7. From **Setup**, enter Users in the quick find box, then select **Users**. 8. Select the name you want in the User list. 9. Scroll down to **Permission Set Assignments**, and select **Edit Assignments**. 10. Select **Key Manager**, then add it to the **Enabled Permission Sets** list. 11. Click **Save.** 2. A Fortanix DSM account with appropriate permissions to create groups, applications (apps), security objects, and plugins. ## 3.0 Download a Self-Signed Certificate from Salesforce Perform the following steps to generate and download a self-signed Certificate in Salesforce. 1. Log in to Salesforce. Go to **Setup**. 2. Create a self-signed certificate under**Security**→**Certificate and Key Management**with the settings in the screenshot below. 3. Disable the check box **Exportable Private Key**. 4. Select the check box **Use Platform Encryption**. 5. Select the key size as **4096**. ![SalesforceBYOKSdkms-Step9.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/15196609660436.png) **Figure 1: Use platform encryption** *For more information on Certificate and Key Management, refer to the Salesforce official documentation.* 6. After the certificate is created, download it. ![SalesforceBYOKSdkms-Step10.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/15196610029972.png) **Figure 2: Download the certificate** ## 4.0 Configure Fortanix DSM A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections: ### 4.1 Signing Up To get started with the Fortanix DSM cloud service, you must register an account at . For example, [https://amer.smartkey.io.](https://amer.smartkey.io.) On-premises customers use the KMS URL, and the SaaS customers can use the URLs as listed [*here*](https://support.fortanix.com/hc/en-us/articles/4406135346068-Fortanix-DSM-SaaS-Global-Availability-Map) based on the application region. *For more information on how to set up the Fortanix DSM, refer to the*[*User's Guide: Sign Up for Fortanix Data Security Manager SaaS*](https://support.fortanix.com/docs/users-guide-sign-up-for-fortanix-data-security-manager-saas)*.* ### 4.2 Creating an Account Access in a web browser and enter your credentials to log in to Fortanix DSM. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_SaaS_Login_page(15).png) **Figure 3: Logging in** *For more information on how to set up an account in Fortanix DSM, refer to the*[*User's Guide: Getting Started with Fortanix Data Security Manager - UI*](https://support.fortanix.com/docs/users-guide-getting-started-with-fortanix-data-security-manager-ui)*.* ### 4.3 Creating a Salesforce Instance Perform the following steps to create an instance using the Salesforce wizard in Fortanix DSM SaaS: 1. Sign up at [https://smartkey.io/](https://smartkey.io/) to access DSM SaaS for the AMER region. DSM SaaS supports multiple regions, as listed [*here*](https://portal.us.document360.io/v1/docs/fortanix-dsm-saas-global-availability-map). 2. In the DSM left navigation panel, click the **Integrations**menu item, and then select the **Cloud Key Management/BYOK** check box. Click **ADD INSTANCE** on the **Salesforce**tile. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOK-Instances - Salesforce.png) **Figure 4: Add Salesforce instance** 3. On the **Add Instance** page: 1. **Title**: Enter a name for your instance. The Fortanix DSM will, by default, apply **SF_** as a suffix to the entered name. 2. **Client Certificate**: Click **UPLOAD CERTIFICATE** to upload the certificate that you downloaded from Salesforce in [*Section 3.0: Download Self-Signed Certificate in Salesforce*](/v1/docs/exporting-fortanix-data-security-manager-keys-to-cloud-providers-for-byok-salesforce#30-download-a-selfsigned-certificate-from-salesforce) into Fortanix DSM as a security object. 4. Click **SAVE INSTANCE**. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1769074292741.png) **Figure 5: Create an instance** With the creation of an instance, a new group, an app, a plugin, and a security object are created within Fortanix DSM. ### 4.4 Salesforce Instance Detailed View Navigate to the **Integrations**menu item → **Salesforce**wizard →****Salesforce instances table. In the instance detailed view page, the following information is represented: - **API KEY**: Click **VIEW API KEY DETAILS** to view the details of the API key, such as username and password. - **MANAGE KEYS**: Click **MANAGE**to oversee the keys created. - **INSTANCE STATUS**: To disable the created instance, toggle **Disabled**. - **DELETE**: To delete the instance, click the overflow menu ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (1342)(3).png) and select **DELETE**. Note that deleting an instance will result in the removal of the app, group, and all security objects associated with the instance, rendering all key material inaccessible. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1769074302211.png) **Figure 6: Detailed instance** ### 4.5 Copying the Security Object UUID Perform the following steps to copy the security object UUID from the Fortanix DSM: 1. In the DSM left navigation panel, click the **Security Objects** menu item, and then click the security object created in [*Section 4.3: Creating a Salesforce Instance*](/v1/docs/exporting-fortanix-data-security-manager-keys-to-cloud-providers-for-byok-salesforce#43-creating-a-salesforce-instance)**[](/v1/docs/using-data-security-manager-with-idcentral-key-management#44-creating-an-application)to go to the detailed view of the security object. 2. From the top of the security object’s page, click the copy icon ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1747062862398.png) next to the security object **UUID**to copy it to use in setting up Salesforce credentials. ## 5.0 Salesforce Setup Fortanix DSM allows for the secure generation, escrow, and lifecycle management of Salesforce tenant secrets. This enables customers to back up encryption keys for the Salesforce Shield Platform. Salesforce Shield Platform requires additional licensing and may not be suitable for all Salesforce Apps. *For more information, refer*[*here*](https://help.salesforce.com/articleView?id=security_pe_considerations_apps.htm&type=5)*.* ### 5.1 Create a Connected App in Salesforce 1. To create an **External Client App**, navigate to **Apps**→**External Client Apps**→**New External Client App**. 2. Configure the app with the following settings: - **Name:** Enter a name for the app. - In the **API (Enable OAuth Settings)** section, select **Enable OAuth Settings** for authentication. - In the **App Settings**, set the **Callback URL** field to `https://login.salesforce.com/services/oauth2/success` . - In the **OAuth scope** field, select **Manage user data via APIs**. - In the **Flow enablement** field, select **Enable Client Credentials flow**. 3. Click **Save** to create the external client app. 4. Click **Edit Policies**: - In the **OAuth Flows and External Client App Enhancements** section, select **Enable Client Credentials Flow**. In the **Run As (Username)** field, specify the user. - In the **App Authorization** section, for the **IP Relaxation** field, select **Relax IP restrictions** from the drop down menu. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/ExternalClientApp-Salesforce(1).png) **Figure 7: Manage external client app** If you selected **Enforce IP Restriction**, you must add the DSM IP to the trusted IP Range. Use quick search to find **Network Access**, and then click **New** to add trusted IP ranges. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/NetworkAccess-SalesforceBYOK.png) **Figure 8: Network access page** ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/NetworkAccess1-SalesforceBYOK.png) **Figure 9: Network access page** 5. Click **Save**. 6. In the detailed view of the external client app, navigate to the **Settings** tab. 7. In the **App Settings** section, click **Consumer Key and Secret** to retrieve the consumer key and consumer secret. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/ConsumerKey-SalesforceBYOK.png) **Figure 10: Fetch consumer key and secret** 8. Save the **Consumer Key** and **Consumer Secret** for future use. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/SaveConsumerKey-SalesforceBYOK.png) **Figure 11: Consumer details** 9. Verify the following Salesforce credentials: - Client/Consumer Secret (Created in *Step 7*) - Tenant URI API version (Fortanix Plugin tested against version 57.0) ## 6.0 Plugin Operations ### 6.1 Configure Operation This operation configures the Salesforce credentials in Fortanix DSM and returns a UUID. You need to pass this UUID for other operations. This is a one-time process. **Parameters:** - `operation`: Specifies the operation that you want to perform. A valid value is `configure`. - `consumer_key`: Specifies the consumer Key of the connected app. - `consumer_secret`: Specifies the Consumer Secret of the connected app. - `tenant`: Specifies the Salesforce tenant URI. - `version`: Specifies the API version (Fortanix Plugin tested against version 57.0). - `name`: Specifies the name of the security object. This security object will be created in Fortanix DSM and will have Salesforce credential information. **Example:** JSON Input: ```json {  "operation": "configure",  "consumer_key": "CBK...................D",  "consumer_secret": "DMV................D",  "tenant"   : "",  "version"  : "v57.0",  "name"    : "" } ``` JSON Output: ```json "3968218b-72c3-4ada-922a-8a917323f27d"on ``` ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/ConfigureOp-SalesforceBYOK.png) **Figure 12: Configure operation** ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/SecurityObjectConfigure-SalesforceBYOK.png) **Figure 13: Salesforce security object** ### 6.2 Check Operation This operation is to test whether the plugin can import a wrapping certificate from Salesforce into Fortanix DSM. **Parameters:** - `operation`: Specifies the operation that you want to perform. A valid value is `check`. - `secret_id`: Specifies the response of the `configuration` operation. - `wrapper`: Specifies the name of the wrapping certificate in Salesforce. **Example** JSON Input: ```json {  "operation": "check",  "secret_id": "3968218b-xxxx-xxxx-xxxx-xxxxxxxxxxxx",  "wrapper"  : "" } ``` JSON Output: ```json {  "group_id": "ff2............................c",  "public_only": true,  "key_ops": [    "VERIFY",    "ENCRYPT",    "WRAPKEY",    "EXPORT"  ],  "enabled": true,  "rsa": {    "signature_policy": [      {        "padding": null      }    ],    "encryption_policy": [      {        "padding": {          "OAEP": {            "mgf": null          }        }      }    ],    "key_size": 4096  },  "state": "Active",  "created_at": "20201229T183553Z",  "key_size": 4096,  "kid": "6de........................4",  "origin": "External",  "lastused_at": "19700101T000000Z",  "obj_type": "CERTIFICATE",  "name": "SFBYOK_FTX_Wrapper",  "acct_id": "ec9.......................7",  "compliant_with_policies": true,  "creator": {    "plugin": "654.......................1"  },  "value": "MII........................9",  "activation_date": "20201229T183553Z",  "pub_key": "MII......................8",  "never_exportable": false } ``` ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/CheckOperation-SalesforceBYOK.png) **Figure 14: Check operation** ### 6.3 Select Operation This operation allows you to select a security object and fetch its details. **Parameters** - `operation`: Specifies the operation that you want to perform. A valid value is a `query` or `search`. - `secret_id`: Specifies the response of the `configuration` operation. - `sobject`: SQL query. - `tooling`: Specifies an optional flag. If set to `true`, it allows querying against the Salesforce Tooling REST API. - `method`: Specifies the method “`GET`|`PUT`|`PATCH`|`DELETE`”. **Example** JSON Input: ```json {  "operation": "select",  "secret_id": "2f9bb707-7897-4c1d-9293-5844712ee621",  "sobject"  : "TenantSecret",  "tooling"   : false,  "method"    : "GET" } ``` JSON Output: ```json {  "recentItems": {},  "objectDescribe": {    "queryable": true,    "mergeable": false,    "hasSubtypes": false,    "custom": false,    "updateable": true,    "replicateable": false,    "mruEnabled": false,    "labelPlural": "Tenant Secret",    "deepCloneable": false,    "feedEnabled": false,    "activateable": false,    "triggerable": false,    "retrieveable": true,    "urls": {      "rowTemplate": "/services/data/v50.0/sobjects/TenantSecret/{ID}",      "sobject": "/services/data/v50.0/sobjects/TenantSecret",      "describe": "/services/data/v50.0/sobjects/TenantSecret/describe"    },    "undeletable": false,    "keyPrefix": "02G",    "layoutable": false,    "name": "TenantSecret",    "isSubtype": false,    "isInterface": false,    "deletable": false,    "deprecatedAndHidden": false,    "customSetting": false,    "createable": true,    "associateParentEntity": null,    "associateEntityType": null,    "searchable": false,    "label": "Tenant Secret"  } } ``` ### 6.4 Query Operation This operation allows you to search tenant secrets (Salesforce encryption keys) using Salesforce security object Query Language (SSQL). **Parameters** - `operation`: Specifies the operation that you want to perform. A valid value is a `query` or `search`. - `secret_id`: Specifies the response of the `configuration` operation. - `query`: SQL query. - It can be `“select Id, Status, Version from TenantSecret”` or `“select Id, Status, Version from TenantSecret where Type = 'Data'”` or `“select Id, Status, Version from TenantSecret where Type = 'Data' and Status = 'ACTIVE'”` - `tooling`: Specifies an optional flag. If set to `true`, it allows querying against the Salesforce Tooling REST API. **Example** JSON Input: ```json {  "operation": "search",  "secret_id": "3968218b-xxxx-xxxx-xxxx-xxxxxxxxxxxx",  "query"   : "select Id, Status, Version from TenantSecret where Type = 'Data'",  "tooling"  : false,  "sandbox"  : false } ``` JSON Output: ```json {  "done": true,  "totalSize": 5,  "records": [    {      "attributes": {        "type": "TenantSecret",        "url": "/services/data/v50.0/sobjects/TenantSecret/02G..........O"      },      "Status": "ARCHIVED",      "Id": "02G.............D",      "Version": 3    },    {      "Version": 1,      "attributes": {        "url": "/services/data/v50.0/sobjects/TenantSecret/02G...........W",        "type": "TenantSecret"      },      "Id": "02G...........W",      "Status": "ARCHIVED"    },    {      "Version": 2,      "Id": "02G..........O",      "attributes": {        "type": "TenantSecret",        "url": "/services/data/v50.0/sobjects/TenantSecret/02G............O"      },      "Status": "ARCHIVED"    },    {      "Id": "02G...........4",      "attributes": {        "url": "/services/data/v50.0/sobjects/TenantSecret/02G...........4",        "type": "TenantSecret"      },      "Version": 4,      "Status": "DESTROYED"    },    {      "attributes": {        "type": "TenantSecret",        "url": "/services/data/v50.0/sobjects/TenantSecret/02G............O"      },      "Id": "02G..........O",      "Version": 5,      "Status": "ACTIVE"    }  ] } ``` ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/QueryOperation-SalesforceBYOK(1).png) **Figure 15: Query operation** ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/QueryOperationKeyMgmt-SalesforceBYOK(1).png) **Figure 16: Query operation key management** ### 6.5 Upload Operation This operation allows you to create a key material in Fortanix DSM and upload it to Salesforce. The response will contain the same name as given in the upload operation with the suffix as “YYYYmmDDTHHMMSSZ. **Parameters:** - `operation`: Specifies the operation that you want to perform. A valid value is `query` or `search`. - `secret_id`: Specifies the response of the `configuration` operation. - `wrapper`: Specifies the name of the wrapping certificate in Salesforce. - `type`: Valid values are `Data|EventBus|SearchIndex|DeterministicData (Data can be used once per 24-hour period,EventBus can be used once per 168-hour period)` - `mode`: Key derivation mode. It can be blank, which defaults to “`xBKxxx`”, or can also be "`NONE`" to disable key derivation in Salesforce. - `name`: Specifies the prefix of the namsame namee. **Example:** JSON Input: ```json {  "operation": "upload",  "secret_id": "3968218b-xxxx-xxxx-xxxx-xxxxxxxxxxxx",  "wrapper"  : "",  "type"     : "Data",  "mode"     :  "",  "name"     : "Salesforce Data Key" } ``` JSON Output: ```bash {  "obj_type": "AES",  "custom_metadata": {    "SF_HASH": "ESP.......................=",    "SF_UPLOAD": "EDF.....................=",    "SF_WRAPPER": "SFBYOK_FTX_Wrapper",    "SF_MODE": "",    "SF_KID": "02G...........O",    "SF_TYPE": "Data"  },  "acct_id": "ec9...................7",  "creator": {    "plugin": "654....................1"  },  "public_only": false,  "origin": "Transient",  "kid": "bb7................3",  "lastused_at": "19700101T000000Z",  "activation_date": "20201229T185549Z",  "key_size": 256,  "kcv": "b5...9",  "name": "Salesforce Data Key 20201229T185546Z",  "state": "Active",  "enabled": true,  "key_ops": [    "EXPORT"  ],  "compliant_with_policies": true,  "created_at": "20201229T185549Z",  "aes": {    "tag_length": null,    "key_sizes": null,    "random_iv": null,    "fpe": null,    "iv_length": null,    "cipher_mode": null  },  "never_exportable": false,  "group_id": "ff2..............b" } ``` ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/UploadOperation-SalesforceBYOK.png) **Figure 17: Upload operation** ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/UploadOperationKeyMgmt-SalesforceBYOK.png) **Figure 18: Upload operation key manageme** ### 6.6 Status Operation This operation allows you to obtain the status of a Salesforce key. **Parameters:** - `operation`: Specifies the operation that you want to perform. A valid value is `status`. - `secret_id`: Specifies the response of the `configuration` operation. - `wrapper`: Specifies the name of the wrapping certificate in Salesforce. - `name`: Specifies the name of the corresponding security object in Fortanix DSM. **Example:** JSON Input: ```json {      "operation" : "status",      "secret_id": "3968218b-xxxx-xxxx-xxxx-xxxxxxxxxxxx",      "wrapper"   : "",      "name"      : "Salesforce Data Key 20201229T185546Z", } ``` JSON Output: ```json {  "RemoteKeyIdentifier": null,  "CreatedDate": "2020-12-29T18:55:49.000+0000",  "SecretValueHash": "ESP........................=",  "CreatedById": "005..........2",  "KeyDerivationMode": "PBKDF2",  "attributes": {    "url": "/services/data/v50.0/sobjects/TenantSecret/02G..........O",    "type": "TenantSecret"  },  "LastModifiedDate": "2020-12-29T18:55:49.000+0000",  "IsDeleted": false,  "SecretValue": "CgM.............................=",  "SecretValueCertificate": null,  "Type": "Data",  "RemoteKeyServiceId": null,  "Version": 6,  "Id": "02G..........O",  "Status": "ACTIVE",  "SystemModstamp": "2020-12-29T18:55:49.000+0000",  "RemoteKeyCertificate": null,  "Source": "UPLOADED",  "Description": "Salesforce Data Key 20201229T185546Z",  "LastModifiedById": "005............2" } ``` ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/StatusOperation-SalesforeBYOK.png) **Figure 19: Status operation** ### 6.6 Sync Operation This operation allows you to sync the Fortanix DSM key object with the Salesforce key. **Parameters:** - `operation`: Specifies the operation that you want to perform. A valid value is `sync`. - `secret_id`: Specifies the response of the `configuration` operation. - `wrapper`: Specifies the name of the wrapping certificate in Salesforce. - `name`: Specifies the name of the the corresponding security object in Fortanix DSM. **Example** JSON Input: ```json {      "operation" : "sync",      "secret_id": "3968218b-xxxx-xxxx-xxxx-xxxxxxxxxxxx",      "wrapper"   : "",      "name"      : "Salesforce Data Key 20201229T185546Z",      "sandbox"   : false } ``` JSON Output: ```json {  "RemoteKeyCertificate": null,  "IsDeleted": false,  "CreatedById": "005..............2",  "Status": "ACTIVE",  "Type": "Data",  "LastModifiedById": "005............2",  "CreatedDate": "2020-12-29T18:55:49.000+0000",  "SystemModstamp": "2020-12-29T18:55:49.000+0000",  "Source": "UPLOADED",  "SecretValueHash": "ESP.................c",  "LastModifiedDate": "2020-12-29T18:55:49.000+0000",  "Version": 6,  "RemoteKeyServiceId": null,  "RemoteKeyIdentifier": null,  "attributes": {    "type": "TenantSecret",    "url": "/services/data/v50.0/sobjects/TenantSecret/02G............O"  },  "KeyDerivationMode": "PBKDF2",  "Id": "02G...........O",  "SecretValueCertificate": null,  "Description": "Salesforce Data Key 20201229T185546Z",  "SecretValue": "CgM........................M" } ``` ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/SyncOperation-SalesforceBYOK(1).png) **Figure 20: Sync operation** ### 6.8 Destroy Operation This operation allows you to destroy an archived Salesforce key. **Parameters:** - `operation`: Specifies the operation that you want to perform. A valid value is `destroy`. - `secret_id`: Specifies the response of the `configuration` operation. - `wrapper`: Specifies the name of the wrapping certificate in Salesforce. - `name`: Specifies the name of the corresponding security object in Fortanix DSM. **Example** JSON Input: ```json {      "operation" : "destroy",      "secret_id": "3968218b-xxxx-xxxx-xxxx-xxxxxxxxxxxx",      "wrapper"   : "",      "name"      : "Salesforce Data Key 20201229T185546Z",      "sandbox"   : false } ``` JSON Output: ```json output is empty, with http status indicating success. ``` ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DestroyOperation-SalesForceBYOK.png) **Figure 21: Destroy operation** ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DestroyOperationKeyMgmt-SalesForceBYOK.png) **Figure 22: Destroy operation key management** ### 6.9 Restore Operation This operation allows you to restore a destroyed Salesforce key. **Parameters:** - `operation`: Specifies the operation that you want to perform. A valid value is `restore`. - `secret_id`: Specifies the response of the `configuration` operation. - `wrapper`: Specifies the name of the wrapping certificate in Salesforce. - `name`: Specifies the name of the the corresponding security object in Fortanix DSM. **Example:** JSON Input: ```json {      "operation" : "restore",      "secret_id" : "3968218b-xxxx-xxxx-xxxx-xxxxxxxxxxxx",      "wrapper"   : "",      "name"      : "Salesforce Data Key 20201229T185546Z", } ``` JSON Output: ```json output is empty, with http status indicating success. ``` ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1769074371216.png) **Figure 23: Restore operation** ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/RestoreOperation-SalesforceBYOK.png) **Figure 24: Restore operation key management** Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface. Fortanix DSM’s BYOK feature generates Linked or Copied virtual keys from a source key enabling backup and key replication to other CSP accounts/subscriptions, regional instances, key repositories, and, most importantly, to multiple cloud providers, including private clouds. This includes seamless movement between private clouds (on-premises) and public clouds. BYOK keys also allow tracking of key activities across multiple CSP repositories for easier restoration if keys are deleted or disabled. ## Related - [Google Cloud Platform Keyring KMS Bring Your Own Key](/users-guide-google-cloud-kms.md) - [Exporting Fortanix DSM Keys to Cloud Providers for BYOK - Salesforce (Using Cache-Only Keys)](/exporting-fortanix-data-security-manager-keys-to-cloud-providers-for-byok-salesforce-using-cache-only-keys.md) - [Fortanix DSM with Snowflake for Tokenization](/using-data-security-manager-with-snowflake.md)