FAQ-000716 - Data Storage and Encryption Security / Secure Storage Best Practices

The approved methods for securely storing sensitive data or secrets within a managed package are: 1. **Protected Custom Metadata**: This is the preferred method for securely storing secrets. 2. **Protected Custom Settings**: A legacy option for secure storage. 3. **Named Credentials**: Suitable for locally generated or per-org secrets, though administrators can view these. Additionally, you can encrypt secrets and store them in custom objects, ensuring the encryption key is stored in a protected custom setting or protected custom metadata. Always set proper permissions for fields containing encrypted secrets and use Apex Crypto calls for encryption.

The answer needed minor clarification on the custom metadata terminology. The original text referenced 'hidden custom metadata API field' which is less precise than simply stating 'protected custom metadata' since the protection is the key security feature. This change maintains consistency with the terminology used earlier in the answer and provides clearer guidance. Regarding the related security rules: - ApexBadCrypto: Directly relates to the FAQ's recommendation to 'use Apex Crypto calls for encryption' when storing encrypted secrets in custom objects - ApexSuggestUsingNamedCred: Connects to the FAQ's discussion of Named Credentials as an approved method for storing secrets - AvoidHardcodedCredentialsInFieldDecls: Relates to the FAQ's guidance on secure storage alternatives to prevent hardcoded credentials in field declarations - AvoidHardcodedCredentialsInVarAssign: Connects to the FAQ's secure storage methods as alternatives to hardcoded credentials in variable assignments - AvoidHardcodedCredentialsInVarDecls: Relates to the FAQ's secure storage solutions as alternatives to hardcoded credentials in variable declarations - ProtectSensitiveData: Broadly applies to the entire FAQ topic of protecting sensitive data through secure storage methods