FAQ-000546 - Custom Settings and Configuration Security / Specific Use Cases and Implementation Patterns

To securely store third-party integration keys in custom metadata: 1. **Use Protected Custom Metadata Fields**: Store the keys in protected custom metadata fields to prevent unauthorized access or modification. 2. **Encrypt the Keys**: Encrypt the integration keys using Apex Crypto calls for added security. 3. **Separate Encryption Key Storage**: Store the encryption key in a protected custom setting or another protected custom metadata field. 4. **Configure Permissions**: Ensure proper permissions are set for fields containing encrypted secrets. This approach ensures the secure storage of integration keys. Let me know if you need further assistance!

Made a minor refinement by removing 'API' from 'protected custom metadata API fields' since the term was redundant - custom metadata fields accessed via Apex are inherently API fields, and the simpler term 'protected custom metadata fields' is clearer and more commonly used in Salesforce documentation. The selected security rules are highly relevant to this FAQ content: - ApexSuggestUsingNamedCred: This rule suggests using Named Credentials instead of hardcoding credentials, which directly relates to the FAQ's discussion of securely storing third-party integration keys - AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInVarAssign, AvoidHardcodedCredentialsInVarDecls: These rules prevent hardcoding credentials in various Apex contexts, which aligns with the FAQ's guidance on proper secure storage of integration keys rather than hardcoding them - ProtectSensitiveData: This rule focuses on protecting sensitive information, which directly applies to the FAQ's discussion of encrypting and securely storing third-party integration keys - ApexBadCrypto: This rule addresses proper cryptographic practices in Apex, which relates to the FAQ's recommendation to 'encrypt the integration keys using Apex Crypto calls'