Please Note:

Administration
Quick Start
Additional Deployment Methods
- Install CDP on a SQL Server node configured with availability group
- Install multiple meta-databases on a single SQL instance
- Install CDP on a passive machine in a SQL Server cluster
  - Install CDP on a passive machine in a SQL Server cluster
  - Manually install CDP on a passive node in SQL Server cluster
Tasks
- Encrypt a column
- Decrypt a column
- Re-encrypt data with new key
- Configure column-level encryption settings
- Set encryption parameters for multiple columns
- Delete data after encryption or decryption
- Delete views and triggers
- Recreate view and triggers
- Altering encrypted tables
  - Add unencrypted column
  - Add column to encrypt
  - Delete decrypted column
  - Delete encrypted column
  - Resize unencrypted column
  - Resize an encrypted column
  - Grant/revoke table and column permissions
- Upgrade CDP
  - Upgrade CDP in clustered environment
  - Upgrade a standalone CDP
- Uninstall CDP
- Upgrade database version
- Obscure Password
- View job history
- Export keys from CipherTrust Manager
- Fast search on encrypted data
- Map database user or role to CipherTrust Manager user
- Configure SSL connection
Advanced Topics
- Planning Encryption
  - Standard Encryption
  - Format Preserving Encryption
- Encryption Flow
- Key caching
- Configuration Parameters
  - Network Configuration Parameters
  - Connection Configuration Parameters
  - Local Encryption Configuration Parameters
  - Logging Parameters
  - SSL Configuration Parameters
  - SQL Server Specific Configuration Parameters
- Tables and Views
- Database Objects
  - UDFs for Standard Encryption
  - UDFs for FPE
  - Examples of Direct UDFs Calls
- Sample for setting encryption parameters for multiple columns
- User Mapping
- Error Replacement
- Limitations
Tips and Best Practices
Troubleshooting
FAQs

CDP for MSSQL
Administration
Advanced Topics
Key caching

Key caching

The key caching feature enables you to export keys from Key Manager and store them on the client for a limited time, in order to perform cryptographic operations locally.

Keys are cached in the memory as soon as the CDP for MSSQL DLL is loaded, and remain there until the SQL server is restarted or the time specified by Symmetric_Key_Cache_Expiry has passed. Keys cached on the client are stored in process memory only; they are not stored on disk.

This feature improves performance, specifically if network latency is high, encryption sizes are small, and local CPU cycles are available. Once keys are cached, client crypto operations can continue without access to the server.

Only symmetric keys (AES, ARIA, DES, DESede, SEED, RC4) that have been marked Exportable can be cached. In addition, the NAE user must have export privileges for the key. Therefore, to export keys, any of the following criteria must be met:

You must be the key owner.
You must be part of a group with permissions on the key and should only perform those operations that have been configured for that group.
The key must be global.

Note

Authorization policies are ignored in the cache.

Caution

Your client and its connection to the CipherTrust Manager must be secure. Downloading keys over this connection and storing them on your client exposes them to possible attack. When using the symmetric key caching feature, be sure that you are using a secure method of download and that your client’s operating system is secure.

How it works

The following steps describe what happens when the Symmetric Key Caching feature is enabled and the client requests a key:

The client requests a key.
The client checks whether Symmetric_Key_Cache_Enabled is yes (or tcp_ok). If the feature is enabled, the client searches for the key in the key cache.
The client does not find the key in the cache.
The client requests the key from the server. If you have permission and the key is exportable, the server downloads the key to the client. The key is stored in the cache.
Subsequent requests for that key use the key cache until the time set in Symmetric_Key_Cache_Expiry has passed.

To use the Symmetric Key Caching feature, you must configure the required parameters. Refer to the Local Encryption Configuration Parameters.

Suggest A Change

Key caching

How it works

On this page