Is storing sensitive data in protected custom metadata records an acceptable security practice?
Answer
Yes, storing sensitive data in protected custom metadata records is an acceptable security practice. It's important to ensure the data is stored securely, with proper permissions configured. If needed, encryption can be applied, and the encryption key should be stored in a protected custom setting or a hidden custom metadata API field.
Is storing sensitive data in protected custom metadata records an acceptable security practice?
Recommended Answer Update
Yes, storing sensitive data in protected custom metadata records is an acceptable security practice. It's important to ensure the data is stored securely, with proper permissions configured. If encryption is needed, use platform-provided encryption capabilities or strong encryption algorithms, and store encryption keys securely in protected custom settings or hidden custom metadata API fields—never hardcode encryption keys in your code.
Reasoning
The original answer contained a potential security concern by not emphasizing the critical importance of avoiding hardcoded encryption keys. The phrase 'the encryption key should be stored in a protected custom setting or a hidden custom metadata API field' could be misinterpreted as allowing hardcoded keys as long as they're in the right place. The recommended update clarifies that encryption keys must never be hardcoded in code and should use secure storage mechanisms. This addresses the security confusion around key management practices.
Security rules selected:
- ApexBadCrypto: This rule relates to the FAQ's discussion of encryption practices. The FAQ mentions 'encryption can be applied' and discusses encryption key storage, which directly connects to avoiding bad cryptographic implementations.
- AvoidHardcodedCredentialsInFieldDecls: This rule applies because the FAQ discusses storing sensitive data and encryption keys, which are credentials that should not be hardcoded in field declarations.
- AvoidHardcodedCredentialsInVarAssign: This rule is relevant to the FAQ's guidance about encryption key storage, as developers might assign hardcoded keys to variables when implementing encryption.
- AvoidHardcodedCredentialsInVarDecls: This rule connects to the FAQ's encryption key guidance, as developers might declare variables with hardcoded credential values.
- ProtectSensitiveData: This rule directly relates to the core topic of the FAQ, which is about 'storing sensitive data in protected custom metadata records' - this is exactly what the rule addresses.