FAQ-001065 - JWT and Token Security / JWT Key Management and Storage

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
What are the best practices for securely storing, managing, and rotating JWT private keys and secrets in managed packages?
Answer
**Secure Storage Best Practices:** - Store private keys securely using **protected custom settings** or **protected custom metadata** to ensure they are not accessible to unauthorized users or other packages. - Encrypt sensitive data, such as secrets and tokens, and store the encryption key in protected custom metadata or settings. - For server-side applications, encrypt secrets with **AES-128 or higher** and store the encryption key in a location inaccessible to the database layer but accessible to the application layer. - For client-side applications, rely on vendor-provided keychains or keystores for secure storage, avoiding hardcoding of secrets. **Key Protection Measures:** - Restrict access to keys to authorized users and processes only through strict access controls and permissions. - Implement encryption for keys both at rest and in transit. - Avoid exposing private keys in client-side code or logs. - Ensure secrets are not written to logs or stored in unencrypted form. - Avoid transmitting sensitive data outside the Salesforce platform unless absolutely necessary. **Key Management and Rotation:** 1. **Regular Key Rotation**: Regularly rotate keys by generating new ones, updating the connected app configuration, and invalidating old keys after the transition. 2. **Audit and Monitoring**: Regularly audit key usage and monitor for unauthorized access or anomalies to identify and mitigate security risks. 3. **Documentation**: Document the key management and rotation process, including steps for generating, storing, and updating keys, to ensure consistency and compliance. 4. **Fallback Mechanism**: Have a fallback mechanism to handle key rotation failures, such as temporarily retaining the previous key until the new one is operational. **Communication Security:** - Use **HTTPS** for all callback URLs to ensure secure communication. - Ensure all API connections use HTTPS and meet SSL configuration requirements. **Implementation Guidelines:** - Follow security guidelines to prevent unauthorized access and maintain the security and integrity of your managed package. - Implement encryption for sensitive data and follow established security standards. Following these comprehensive practices enhances the security and reliability of your JWT authentication mechanism while ensuring compliance with security review requirements.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
ApexBadCryptoApexSuggestUsingNamedCredAvoidHardcodedCredentialsInFieldDeclsAvoidHardcodedCredentialsInHttpHeaderAvoidHardcodedCredentialsInVarAssignAvoidHardcodedCredentialsInVarDeclsProtectSensitiveDataUseHttpsCallbackUrlConnectedApp
Question
What are the best practices for securely storing, managing, and rotating JWT private keys and secrets in managed packages?
Recommended Answer Update
**Secure Storage Best Practices:** - Store private keys securely using **protected custom settings** or **protected custom metadata** to ensure they're not accessible to unauthorized users or other packages. - Encrypt sensitive data, such as secrets and tokens, and store the encryption key in protected custom metadata or settings. - For server-side applications, encrypt secrets with **AES-256 or higher** and store the encryption key in a location inaccessible to the database layer but accessible to the application layer. - For client-side applications, rely on vendor-provided keychains or keystores for secure storage, avoiding hardcoding of secrets. **Key Protection Measures:** - Restrict access to keys to authorized users and processes only through strict access controls and permissions. - Implement encryption for keys both at rest and in transit. - Avoid exposing private keys in client-side code or logs. - Ensure secrets aren't written to logs or stored in unencrypted form. - Avoid transmitting sensitive data outside the Salesforce platform unless absolutely necessary. **Key Management and Rotation:** 1. **Regular Key Rotation**: Regularly rotate keys by generating new ones, updating the connected app configuration, and invalidating old keys after the transition. 2. **Audit and Monitoring**: Regularly audit key usage and monitor for unauthorized access or anomalies to identify and mitigate security risks. 3. **Documentation**: Document the key management and rotation process, including steps for generating, storing, and updating keys, to ensure consistency and compliance. 4. **Fallback Mechanism**: Have a fallback mechanism to handle key rotation failures, such as temporarily retaining the previous key until the new one is operational. **Communication Security:** - Use **HTTPS** for all callback URLs to ensure secure communication. - Ensure all API connections use HTTPS and meet SSL configuration requirements. **Implementation Guidelines:** - Follow security guidelines to prevent unauthorized access and maintain the security and integrity of your managed package. - Implement encryption for sensitive data and follow established security standards. Following these comprehensive practices enhances the security and reliability of your JWT authentication mechanism while ensuring compliance with security review requirements.
Reasoning
The main update needed is upgrading the encryption recommendation from AES-128 to AES-256 to align with current security best practices. The ApexBadCrypto rule specifically flags weak cryptographic algorithms, and AES-128, while not broken, is considered less robust than AES-256 for new implementations. I also made minor grammatical improvements (changing 'are not' to 'aren't') to follow the conversational tone guidelines while maintaining all existing content and structure. Regarding the selected security rules: - ApexBadCrypto: Directly relates to the FAQ's recommendation to 'encrypt secrets with AES-128 or higher' as this rule detects weak cryptographic practices - ApexSuggestUsingNamedCred: Connects to the FAQ's guidance on secure storage of credentials and secrets in managed packages - AvoidHardcodedCredentialsInFieldDecls: Relates to the FAQ's emphasis on avoiding hardcoding of secrets in code - AvoidHardcodedCredentialsInHttpHeader: Connected to the FAQ's guidance on secure handling of JWT tokens and secrets - AvoidHardcodedCredentialsInVarAssign: Applies to the FAQ's recommendations about not exposing private keys in code - AvoidHardcodedCredentialsInVarDecls: Relates to the FAQ's advice on avoiding hardcoding of secrets - ProtectSensitiveData: Directly applicable to the entire FAQ's focus on protecting JWT private keys and sensitive authentication data - UseHttpsCallbackUrlConnectedApp: Specifically relates to the FAQ's 'Communication Security' section requirement to 'Use HTTPS for all callback URLs'
Reasoning References