shield-kms-byok-setup
Configure Shield Platform Encryption with customer-supplied (BYOK) or customer-held (Cache-Only Key Service) tenant secrets, rotate them, and recover. NOT for Classic Encryption or field masking.
Best use case
shield-kms-byok-setup is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Configure Shield Platform Encryption with customer-supplied (BYOK) or customer-held (Cache-Only Key Service) tenant secrets, rotate them, and recover. NOT for Classic Encryption or field masking.
Teams using shield-kms-byok-setup should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/shield-kms-byok-setup/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How shield-kms-byok-setup Compares
| Feature / Agent | shield-kms-byok-setup | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Configure Shield Platform Encryption with customer-supplied (BYOK) or customer-held (Cache-Only Key Service) tenant secrets, rotate them, and recover. NOT for Classic Encryption or field masking.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Shield Platform Encryption — BYOK / KMS Setup Shield BYOK lets you upload your own 256-bit tenant secret; Cache-Only Key Service keeps the key in your own KMS, fetched by Salesforce on demand. Both require Shield Platform Encryption and careful operational processes: rotation, destroy tests, and KMS availability SLOs. ## Recommended Workflow 1. Enable Shield Platform Encryption and identify fields/files/chatter that require probabilistic vs. deterministic encryption. 2. Generate a 256-bit key in your KMS; for BYOK, derive and upload; for Cache-Only, configure named credential + callback. 3. Rotate tenant secret quarterly via Setup → Platform Encryption → Key Management. 4. Run a destroy-key test in a sandbox to prove you can revoke access (records become unreadable). 5. Document KMS availability SLO — if your KMS is down, Salesforce cannot decrypt in the Cache-Only flow. ## Key Considerations - BYOK key material never leaves Salesforce after upload; Cache-Only keys never enter Salesforce's durable storage. - Deterministic encryption is required for filter equals queries — trades strength for functionality. - Rotation re-encrypts newly written data only; historical data stays under the previous tenant secret until you run Encryption Key Rotation batch. - Cache-Only: callback latency adds to every decrypt; measure in load tests. ## Worked Examples (see `references/examples.md`) - *BYOK tenant secret upload* — Healthcare provider, HIPAA. - *Cache-Only Key Service with AWS* — Financial services firm refuses to upload key material. ## Common Gotchas (see `references/gotchas.md`) - **Destroy-key not tested** — On a real incident nobody can prove revocation works. - **KMS outage = decrypt failure** — User pages go blank; agents cannot read records. - **Mix of deterministic and probabilistic** — SOQL filter on a field silently fails to return results. ## Top LLM Anti-Patterns (full list in `references/llm-anti-patterns.md`) - Using default tenant secret indefinitely - Encrypting a field and then using SOQL LIKE on it - No runbook for KMS outage ## Official Sources Used - Apex Developer Guide — Sharing — https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_bulk_sharing_understanding.htm - Salesforce Security Guide — https://help.salesforce.com/s/articleView?id=sf.security.htm - Shield Platform Encryption — https://help.salesforce.com/s/articleView?id=sf.security_pe_overview.htm - Session Security Levels — https://help.salesforce.com/s/articleView?id=sf.security_hap_session.htm - CSP and Trusted URLs — https://help.salesforce.com/s/articleView?id=sf.security_csp_overview.htm - API Only User Profile — https://help.salesforce.com/s/articleView?id=sf.users_profiles_api_only.htm - Privacy Center and DSR — https://help.salesforce.com/s/articleView?id=sf.privacy_center_overview.htm
Related Skills
shield-event-log-retention-strategy
Use when designing Salesforce Shield Event Monitoring retention, SIEM routing, and storage-tier strategy — which event types to keep, for how long, where, and how to answer audit queries across hot/warm/cold tiers. Triggers: 'shield event log retention', 'route event monitoring to splunk', 'how long to keep login history', 'siem salesforce integration', 'event monitoring storage tier'. NOT for enabling Shield (see salesforce-shield-deployment).
salesforce-shield-deployment
Roll out Shield (Platform Encryption + Event Monitoring + Field Audit Trail) end-to-end, sequencing feature enablement to avoid data lockout. NOT for Classic Encryption or general PE design.
slack-salesforce-integration-setup
Use this skill when setting up or troubleshooting the Salesforce for Slack managed app — including connecting a Salesforce org to a Slack workspace, configuring the three-party admin handshake, linking Slack channels to Salesforce records, enabling record preview sharing, and managing org-level limits. Triggers on: Salesforce for Slack app not connecting, Slack org connection setup, Salesforce record sharing in Slack, Slack workspace admin approval, connecting Salesforce to Slack. NOT for building custom Slack apps or Slack bots (separate development platform), not for Slack Workflow Builder Salesforce connector (use slack-workflow-builder skill), not for Flow-based Slack messaging (use flow-for-slack skill).
salesforce-maps-setup
Use when configuring Salesforce Maps (formerly MapAnything) — territory planning, route optimization, live tracking, geo-grid visualizations, and check-in/check-out workflows for Sales or Service field reps not on Field Service. Covers package installation order (Maps + Maps Advanced + Maps Routing/Live Tracking add-ons), the MapsTerritoryPlan / MapsAdvancedRoute / MapsLayer object family, base-data syncs (Geocoding and Routing services), and integration with Sales and Service Cloud records. Triggers: 'Salesforce Maps setup', 'MapAnything migration', 'territory planning by polygon', 'route optimization for sales reps', 'live tracking field reps', 'plot accounts on a map', 'check-in to the closest account'. NOT for Field Service Lightning territory and scheduling (use admin/fsl-scheduling-optimization-design and data/fsl-territory-data-setup) — Maps and FSL are different products. NOT for Consumer Goods Cloud retail visit planning (use admin/consumer-goods-cloud-setup) — RoutePlan/Visit objects are CG-specific. NOT for Tableau / CRM Analytics geo charts.
private-connect-setup
Configure Private Connect between Salesforce and AWS/Azure for traffic to stay on private networks. NOT for standard internet callouts.
net-zero-cloud-setup
Use this skill when configuring Salesforce Net Zero Cloud — including Scope 1/2/3 emission source modeling via the StnryAssetCrbnFtprnt / VehicleAssetCrbnFtprnt / Scope3CrbnFtprnt object families, emission factor library setup (EmssnFctr / EmssnFctrSet), DPE-driven carbon calculation jobs, supplier engagement scoring, and CSRD / ESRS / TCFD disclosure pack mapping. Triggers on: Net Zero Cloud setup, Sustainability Cloud carbon accounting, Scope 1 2 3 emissions Salesforce, emission factor library, supplier engagement Net Zero, ESG disclosure pack mapping. NOT for ESG content scoring (use Marketing Cloud), NOT for general financial reporting (use Accounting Subledger), NOT for energy-only utility billing (use Energy & Utilities Cloud).
named-credentials-setup
Named Credentials and External Credentials configuration for secure outbound callouts: per-user vs per-org authentication, legacy vs enhanced Named Credentials, external credential principal types (Named Principal, Per User, Anonymous), OAuth 2.0 and JWT flows, and credential deployment. NOT for callout code patterns, Apex HTTP implementation, or OAuth server-side flow debugging.
manufacturing-cloud-setup
Use this skill when configuring Salesforce Manufacturing Cloud — including Sales Agreement setup, Account-Based Forecasting (ABF) recalc jobs, run-rate management, Rebate Management programs, channel inventory tracking via Channel Revenue Management, and Group Membership / OrderItem-to-SalesAgreement reconciliation. Triggers on: Manufacturing Cloud setup, Sales Agreement Salesforce, account-based forecast recalculation, run rate manufacturing, rebate program setup, channel revenue management. NOT for general Sales Cloud opportunity-to-order flow (use standard Opportunity / Order), NOT for Field Service install-base management (use FSL skills), NOT for Automotive Cloud dealer modeling (use automotive-cloud-setup).
loyalty-management-setup
Use this skill when setting up or extending Salesforce Loyalty Management — including program and currency creation, tier group design, qualifying vs. non-qualifying point currency separation, DPE batch job activation, partner loyalty configuration, and member portal setup on Experience Cloud. Triggers on: Loyalty Management setup, loyalty tier setup Salesforce, qualifying points vs redemption points, DPE batch job for loyalty, partner loyalty program Salesforce, loyalty member portal. NOT for Marketing Cloud engagement program design (separate product), not for B2B loyalty via Sales Cloud (standard opportunity, not loyalty program), not for general Experience Cloud site setup (use experience-cloud-setup skill).
automotive-cloud-setup
Use this skill when setting up or extending Salesforce Automotive Cloud — including the Vehicle / VehicleDefinition data model, dealer-OEM relationship modeling via AccountAccountRelation, ActionableEvent orchestration for service campaigns and recalls, FinancialAccount lifecycle for retail-credit deals, and DriverQualification / WarrantyTerm extensions. Triggers on: Automotive Cloud setup, Salesforce Automotive Cloud data model, Vehicle vs VehicleDefinition, dealer hierarchy AccountAccountRelation, Automotive Cloud actionable events, recall campaign Salesforce. NOT for general Sales Cloud opportunity work on a vehicle product (use standard Opportunity), NOT for Manufacturing Cloud sales agreements (use manufacturing-cloud-setup), NOT for Field Service vehicle inventory (use FSL skills).
fsl-territory-data-setup
Use this skill when bulk loading Service Territory data: boundary polygons, ServiceTerritoryMember assignments, OperatingHours, TimeSlots, and territory hierarchy setup. Trigger keywords: service territory bulk load, KML polygon import FSL, ServiceTerritoryMember migration, OperatingHours data setup, PolygonUtils Apex. NOT for Enterprise Territory Management (ETM/Account Territories), admin-level territory configuration UI, or scheduling policy setup.
salesforce-shield-architecture
Salesforce Shield as an architectural choice — Platform Encryption + Event Monitoring + Field Audit Trail as three SEPARATELY-LICENSED components, none of which ship in any standard edition. Covers BYOK vs Cache-Only Key Service (CCKM) tradeoffs, probabilistic vs deterministic encryption schemes, the field-type encryption blocklist (Formula, Roll-Up Summary, indexed External ID), Field Audit Trail's 10-year retention model, and why every Shield design starts with a license confirmation. NOT for individual feature setup steps (see security/platform-encryption, security/event-monitoring, security/field-audit-trail), NOT for compliance certification mapping (HIPAA / FedRAMP / PCI specifics).