Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Advanced Topics

Persistent Key Caching

search

Please Note:

printsuggest an edit

Persistent Key Caching

The persistent key cache is a secure cache on the client’s disk that stores keys exported from the Key Manager. This cache is used when a key does not exist in the symmetric/asymmetric key cache. The key cache is not transferable between users, client applications, or platforms. Symmetric and asymmetric keys can be cached in the persistent cache.

When key is not found in persistent key cache, the client automatically try to connects to the Ciphertrust Manager to fetch the key and download it to persistent key cache.

The key cache does not store IVs. You must store those values elsewhere. Only symmetric keys (AES, HMAC) and asymmetric keys (RSA, EC) can be cached.

The persistent key cache can only be accessed when the correct "passphrase" is provided. The maximum length supported for a passphrase is 256 characters.

When a persistent cache file is created, the file name uses keycache_ as the prefix followed by the NAE username. For example, the cache name for user1 will be: keycache_user1.

For global NAE session, the persistent file is created with the name keycache_no#user.

For versioned keys, all the versions of a key must be exportable.

Caution

The client and its connection to the CipherTrust Manager must be secure. Downloading keys over this connection and storing them on your client exposes them to possible attack. Ensure you are using a secure method of download and that your client’s operating system is secure.

Note

Key(s) present in the persistent cache file will be deleted. Persistent cache file will be updated with the same keys fetched from the CipherTrust Manager while performing crypto operations.

Note

When creating an NAESession using a persistent cache, connection with the CipherTrust Manager will only be established when the persistent cache file doesn't exist or the file size is 0 KB. Otherwise, the persistent cache is verified using the passphrase provided and then used for the crypto operations.

copy link to clipboardHow Persistent Cache Works

The client uses the persistent cache to search for a key if it is not found in symmetric/asymmetric key cache. If the key is not found in persistent cache, the client connects to CipherTrust Manager for the key. The following scenarios describe how the persistent cache feature works:

Scenario 1: The key is not found in the persistent cache

The client attempts to connect to CipherTrust Manager, if the connection is successful and the key is found, the key is exported and stored in the persistent and the symmetric/asymmetric cache. If the key is not found or connection fails, the application throws an exception.

Scenario 2: The key is found in the persistent cache

If the key has expired in the persistent cache, the client tries to connect to the server. If the connection is successful, the key's information is updated in the persistent and the symmetric/asymmetric cache. If the connection is successful, but the key is not found on CipherTrust Manager, the key is deleted from the persistent cache. If the connection fails, the key's expiry time is updated to that of the next persistent cache expiry interval. The key is copied to the symmetric/asymmetric cache.

To use the Persistent key cache, set the following parameters in the properties file:

Symmetric_Key_Cache_EnabledKey_Cache_Expiry
Asymmetric_Key_Cache_EnabledPersistent_Cache_Enabled
Persistent_Cache_DirectoryPersistent_Cache_Expiry_Keys
Persistent_Cache_Max_Size

Refer to Caching Parameters for details about the caching configuration related properties.

copy link to clipboardLogging

The server logs all key downloads in the NAE log. The client logs the following actions:

  • Enabling persistent key storage

  • Key downloads

  • Use of downloaded key

On this page