Encrypt and Decrypt using All Key Versions
This functionality allows you to encrypt using all versions of a key locally on the client end. There will be only key info, key export request made on the server for fetching the keys. To use this feature, following parameters must be configured:
Symmetric_Key_Cache_Enabled
Symmetric_Key_Cache_Expiry
key_non_exportable_policy
The key info and export request are made for all the versions and stored in symmetric cache for the next operations performed on the client. If there are any changes in the states of the keys, they will be updated after Symmetric_Key_Cache_Expiry
. After this interval, all the key versions are updated again in the symmetric cache.
This feature is only supported with the following transformations:
AES/CBC/NoPadding
AES/CBC/PKCS5Padding
AES/ECB/NoPadding
AES/ECB/PKCS5Padding
The ciphertext contains header information indicating the version of the key used during encryption. This header is 3 bytes long. During decryption, the Key Manager parses this information and applies the correct key version. There is no need to specify the key version.
To use this feature with persistent cache, the following parameters must be configured:
Symmetric_Key_Cache_Enabled
Symmetric_Key_Cache_Expiry
Persistent_Cache_Enabled
Persistent_Cache_Directory
Persistent_Cache_Expiry
key_non_exportable_policy
The key info and export request are made for all the versions and stored in persistent cache for the next operations performed on the client. If there are any changes in the states of the keys, they will be updated after Persistent_Cache_Expiry
. After this interval, all the key versions are updated again in the persistent cache.