Please Note:

User Guide
Quick Start
- Installation
  - Installing CADP for C on Linux
  - Installing CADP for C on Windows
  - Client Certificate Renewal in Linux/Windows
- Installed Directories
  - Installed Directory on Linux
  - Installed Directory on Windows
Tasks
- Tasks for CAPI
  - Setting up SSL/TLS on CipherTrust Manager and CADP for C
  - Create an NAE Session
  - Configuring CADP for C CAPI Properties File
  - Connecting to a Server through Single Properties File
  - Connecting to a Server through Multiple Properties File
  - Connecting to a Server through NAE and KMIP Session in a Single configuration
  - Adding CipherTrust Manager Servers
  - Adding Syslog Server
  - Enabling Connection Pooling
  - Securing Passphrase
  - Enabling Asymmetric Key Caching
  - Enabling Symmetric Key Caching
  - Setting Logging Parameters
  - Working with Certificates
    - Importing a Certificate
    - Exporting a Certificate
    - Creating a CA Chain using OpenSSL and Uploading on the CipherTrust Manager
    - Exporting a CA Chain
    - Deleting a Certificate
    - Creating a Certificate Signing Request
    - Signing a CSR with an existing local certificate authority
  - NAE Key Management Operations
    - Creating versioned key
    - Creating a new version of a key
    - Destroying versioned key
    - Creating a CipherSpec for a versioned key
    - Exporting a public versioned key
    - Exporting a symmetric versioned key
    - Getting key attributes of a versioned key
    - Modifying the state of a versioned key
    - Calculating the size of ciphertext created by versioned keys
    - Calculating the size of the ciphertext header for a versioned key
    - Deleting the EVP context created using I_C_Crypt_Fast
    - Deriving AES/HMAC symmetric key from any AES/HMAC symmetric key
    - Wrapping AES Key
    - Search key names by multiple attributes
- Tasks for PKCS#11
  - Configuring CADP for C PKCS11 Properties File
  - Configuring Registry Editor on Windows for CADP for C PKCS11
  - Initializing CADP PKCS#11 Library
  - Adding CipherTrust Manager Servers
  - Creating a Key
  - Enabling Connection Pooling
  - Enabling Symmetric Key Caching
  - Enabling Asymmetric Key Caching
  - Setting Logging Parameters
  - Migrating VAE to CADP for C
- Modifying the CADP for C Basic Configuration File
Advanced Topics
- Configuration
  - Logging Parameters
  - Network Configuration Parameters
  - Connection Configuration Parameters
  - Caching Parameters
  - SSL Configuration Parameters
  - Miscellaneous Parameters
- Symmetric/Asymmetric Caching
  - Symmetric/Asymmetric Caching, CADP for C CAPI
  - Symmetric/Asymmetric Caching, CADP for C PKCS#11
- Connection Pooling
- Load Balancing Group
- Multi-tier Load Balancing Group
- Persistent Key Caching
- Key Management, CADP for C PKCS#11
- Supported Cryptographic Operations
  - Supported Cryptographic Operations for CAPI
  - Supported Cryptographic Operations for PKCS#11
- Format Preserving Encryption
- KMIP Key Management in C
- Utilities
  - CryptoDataUtility
  - SelfSignedCertificate
  - RSAEncryptionUtility
- Pkcs11Interop Library for .Net Core
- Upgrade
  - Upgrade from CADP CAPI to CADP for C
  - Recompiling with CADP for C Library
  - For Already Existing CAPI Sample Executables
  - Upgrade from VAE to CADP for C
- Uninstall

CADP for C
User Guide
Advanced Topics
Persistent Key Caching

Persistent Key Caching

Note

Persistent Cache is applicable to CADP for C CAPI only.

The persistent key cache is a secure cache on the client’s disk that is used to store keys that have been downloaded from the CipherTrust Manager appliance. This cache is used when a key does not exist in the symmetric or asymmetric key cache. When the key is not found in persistent key cache, the client connects to the CipherTrust Manager to fetch the key and download it to all the caches.

The persistent key cache can only be accessed when the correct passphrase is used. The key cache is not transferable between users, client applications, or platforms.

Persistent Cache File

When a persistent cache file is created, the file name uses keycache_ as the prefix followed by the NAE username. For example, the cache name for user1 will be: keycache_user1.

Let's consider a scenario where a user, user1 is created within a domain, domain1. The username is specified as:

domain1||user1

When a persistent cache file is created for a domain user, the | symbol is replaced with _. For example, the naming convention of the persistent cache file for the domain user, domain1||user1 will be:

keycache_domain1__user1

** Important Notes**

Persistent cache files created with CADP for C version lower than 8.11 cannot be used with version 8.11. New persistent cache files need to be created.
The key cache does not store IVs. You must store those values elsewhere.
Both symmetric keys (based on AES, DES, DESede, SEED, RC4,HMAC-SHA1, HMACSHA256, HMACSHA384, and HMACSHA512 algorithms) and asymmetric keys (RSA and ECC algorithm) can be cached.
Downloading keys from the CipherTrust Manager appliance poses a security threat. You must ensure that your network is secure before using this feature. Exporting keys from CipherTrust Manager to your client exposes them to attack.
When creating NAESession using persistent cache, connection with CipherTrust Manager will only be made when the persistent cache file does not exist or when the file is of size 0 KB. Otherwise, the persistent cache file will be verified.

Supported Functions

I_C_CalculateOutputSizeForKey
I_C_CalculateOutputSize
I_C_GetCipherBlockSize
I_C_Crypt
I_C_CrypInit
I_C_CryptUpdate
I_C_CryptFinal
I_C_Crypt_Fast
I_C_Crypt_Enhanced
I_C_CryptBulk_Enhanced

In the Open Session APIs for persistent cache, connection with CipherTrust Manager will be made when the persistent cache file does not exist or the file is of size 0 KB. Otherwise, persistent cache file will be verified.

How it Works

If the key is not found in symmetric/asymmetric key cache, the client uses the persistent cache to search for a key. If the key is not found in any cache, then the client connects to the CipherTrust Manager for the key.

When the Key is found in Persistent Cache

Scenario 1: The key is not found in the persistent cache

The client attempts to connects to CipherTrust Manager, if the connection is successful and the key is found, the key is exported and stored in the persistent and the symmetric/asymmetric cache. If the key is not found or connection fails, the application throws an exception.

Scenario 2: The key is found in the persistent cache

If the key has expired in the persistent cache, the client tries to connect to the CipherTrust Manager. If the connection is successful, the key's information is updated in the persistent and the symmetric/asymmetric cache. If the connection is successful, but the key is not found on CipherTrust Manager, the key is deleted from the persistent cache. If the connection fails, the key's expiry time is updated to that of the next persistent cache expiry interval. The key is copied to the symmetric/asymmetric cache.

Note

When the client attempts to connect to CipherTrust Manager in the above scenarios, and if the connection fails; the existing key in the persistent cache is not deleted.

Related Parameters

To use persistent key cache, you need to set the following parameters in the properties file:

Symmetric_Key_Cache_Enabled
Symmetric_Key_Cache_Expiry
Asymmetric_Key_Cache_Enabled
Persistent_Cache_Enabled
Persistent_Cache_Directory
Persistent_Cache_Expiry_Keys
Persistent_Cache_Max_Size

Refer to Caching Parameters to know more about the caching related properties.

Logging

The server logs all key downloads in the NAE log. The client logs the following actions:

Enabling persistent key storage
Key downloads
Use of downloaded key
Deletion of key from cache

Pre-Loading Keys

If you have an advanced notice that your server is going to be offline, then you can preload the keys to ensure that your persistent key cache is populated when you need it.

Suggest A Change

Persistent Key Caching

Persistent Cache File

Supported Functions

How it Works

When the Key is found in Persistent Cache

Logging

Pre-Loading Keys

On this page