Persistent Key Caching
The persistent key cache is a secure cache on the client’s disk that stores keys exported from the Key Manager. This cache is used when a key does not exist in the symmetric/asymmetric key cache. The key cache is not transferable between users, client applications, or platforms. Symmetric and asymmetric keys can be cached in the persistent cache.
When key is not found in persistent key cache, the client automatically try to connects to the Ciphertrust Manager to fetch the key and download it to persistent key cache.
The key cache does not store IVs. You must store those values elsewhere. Only symmetric keys (AES, HMAC) and asymmetric keys (RSA, EC) can be cached.
The persistent key cache can only be accessed when the correct "passphrase" is provided. The maximum length supported for a passphrase is 256 characters.
When a persistent cache file is created, the file name uses keycache_ as the prefix followed by the NAE username. For example, the cache name for user1 will be: keycache_user1.
For global NAE session, the persistent file is created with the name keycache_no#user.
For versioned keys, all the versions of a key must be exportable.
Caution
The client and its connection to the CipherTrust Manager must be secure. Downloading keys over this connection and storing them on your client exposes them to possible attack. Ensure you are using a secure method of download and that your client’s operating system is secure.
Note
Key(s) present in the persistent cache file will be deleted. Persistent cache file will be updated with the same keys fetched from the CipherTrust Manager while performing crypto operations.
Note
When creating an NAESession using a persistent cache, connection with the CipherTrust Manager will only be established when the persistent cache file doesn't exist or the file size is 0 KB. Otherwise, the persistent cache is verified using the passphrase provided and then used for the crypto operations.
How Persistent Cache Works
The client uses the persistent cache to search for a key if it is not found in symmetric/asymmetric key cache. If the key is not found in persistent cache, the client connects to CipherTrust Manager for the key. The following scenarios describe how the persistent cache feature works:
Scenario 1: The key is not found in the persistent cache
The client attempts to connect to CipherTrust Manager, if the connection is successful and the key is found, the key is exported and stored in the persistent and the symmetric/asymmetric cache. If the key is not found or connection fails, the application throws an exception.
Scenario 2: The key is found in the persistent cache
If the key has expired in the persistent cache, the client tries to connect to the server. If the connection is successful, the key's information is updated in the persistent and the symmetric/asymmetric cache. If the connection is successful, but the key is not found on CipherTrust Manager, the key is deleted from the persistent cache. If the connection fails, the key's expiry time is updated to that of the next persistent cache expiry interval. The key is copied to the symmetric/asymmetric cache.
Related Parameters
To use the Persistent key cache, set the following parameters in the properties file:
| Symmetric_Key_Cache_Enabled | Key_Cache_Expiry |
| Asymmetric_Key_Cache_Enabled | Persistent_Cache_Enabled |
| Persistent_Cache_Directory | Persistent_Cache_Expiry_Keys |
| Persistent_Cache_Max_Size |
Refer to Caching Parameters for details about the caching configuration related properties.
Logging
The server logs all key downloads in the NAE log. The client logs the following actions:
Enabling persistent key storage
Key downloads
Use of downloaded key
