Please Note:

Administration
Quick Start
Alternative installation methods
- Silent Installation
- Install CDP for DB2 on IBM DB2 pureScale
- Install CDP for DB2 on IBM PureData System for Transaction
- Install CDP using Chef Scripts
Tasks
- Encrypt a column
- Decrypt a column
- Re-encrypt data with new key
- Delete data after encryption or decryption
- Configure column-level encryption settings
- Delete views and triggers
- Altering encrypted tables
  - Add unencrypted column
  - Add column to encrypt
  - Delete decrypted column
  - Delete encrypted column
  - Resize unencrypted column
  - Resize an encrypted column
  - Grant/revoke table and column permissions
- View job history
- Recreate view and triggers
- Download keys from CipherTrust Manager
- Upgrade CDP
- Uninstall CDP
- Install Unrestricted JCE Policy Files
- Configure SSL connection
- Install Files for Client Certificate Authentication
Advanced Topics
- Planning Encryption
  - Standard Encryption
  - Format Preserving Encryption
- Encryption Flow
- Key caching
- Tables and Views
- Database objects
  - UDFs for Non-FPE
    - How to Call Direct DB2 UDFs for Non-FPE Algorithms
  - UDFs for FPE
    - How to Call Direct DB2 UDFs for FPE Algorithms
  - Stored Procedure
- Configuration Parameters
  - Network Configuration Parameters
  - Connection Configuration Parameters
  - Local Encryption Configuration Parameters
  - SSL Configuration Parameters
  - Logging Configuration Parameters
- User Mapping
- Error Replacement
Tips and Best Practices
Troubleshooting
FAQs

CDP for DB2
Administration
Advanced Topics
Key caching

Key caching

The symmetric key caching feature is used to export symmetric keys from the server and store them on the client for a limited time to perform cryptographic operations locally. Keys are cached in the memory as soon as the SQL session is started and remain there until the SQL session is closed or the time specified by Symmetric_Key_Cache_Expiry is reached. Keys cached on the client are stored in process memory only; they are not stored on disk.

This feature can improve performance, specifically, if network latency is high, encryption sizes are small, and local CPU cycles are available. Once keys are cached, the client’s cryptographic operations can continue without access to the server.

Only symmetric keys (AES, ARIA, DESede, and SEED) that have been marked Exportable may be cached. In addition, the user must have export privileges for the key. Therefore, the user must be the key owner or the key must be global. Full encryption and decryption privileges are automatically granted for all keys in the client cache; while in the cache, key permissions and authorization policies are ignored.

Caution

Your client and its connection to the CipherTrust Manager must be secure. Downloading keys over this connection and storing them on your client exposes them to possible attack. When using the symmetric key caching feature, be sure that you are using a secure method of download and that your client’s operating system is secure.

How it works

The following steps describe what happens when the Symmetric Key Caching feature is enabled and the client requests a key:

The client requests a key.
The client checks whether Symmetric_Key_Cache_Enabled is yes (or tcp_ok). If the feature is enabled, the client searches for the key in the key cache.
The client does not find the key in the cache.
The client requests the key from the server. If you have permission and the key is exportable, the server downloads the key to the client. The key is stored in the cache.
Subsequent requests for that key use the key cache until the time set in Symmetric_Key_Cache_Expiry has passed.

Suggest A Change

Key caching

How it works

On this page