Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Advanced Topics

Key caching

search

Please Note:

printsuggest an edit

Key caching

copy link to clipboardSymmetric Cache

The key caching feature enables you to export keys from Key Manager and store them on the client for a limited time, in order to perform cryptographic operations locally.

Keys are cached in the memory as soon as the CDP for Oracle DLL is loaded, and remain there until the SQL session is restarted or the time specified by Symmetric_Key_Cache_Expiry has passed. Keys cached on the client are stored in process memory only; they are not stored on disk.

This feature improves performance, specifically if network latency is high, encryption sizes are small, and local CPU cycles are available. Once keys are cached, client crypto operations can continue without access to the server.

Only symmetric keys (AES, ARIA, DES, DESede, SEED, RC4) that have been marked Exportable can be cached. In addition, the NAE user must have export privileges for the key. Therefore, to export keys, any of the following criteria must be met:

  • You must be the key owner.

  • You must be part of a group with permissions on the key and should only perform those operations that have been configured for that group.

  • The key must be global.

Note

Authorization policies are ignored in the cache.

Caution

Your client and its connection to the CipherTrust Manager must be secure. Downloading keys over this connection and storing them on your client exposes them to possible attack. When using the symmetric key caching feature, be sure that you are using a secure method of download and that your client’s operating system is secure.

copy link to clipboardHow it works

The following steps describe what happens when the Symmetric Key Caching feature is enabled and the client requests a key:

  1. The client requests a key.

  2. The client checks whether Symmetric_Key_Cache_Enabled is yes (or tcp_ok). If the feature is enabled, the client searches for the key in the key cache.

  3. The client does not find the key in the cache.

  4. The client requests the key from the server. If you have permission and the key is exportable, the server downloads the key to the client. The key is stored in the cache.

  5. Subsequent requests for that key use the key cache until the time set in Symmetric_Key_Cache_Expiry has passed.

copy link to clipboardPersistent Cache

The persistent key cache is a secure cache on the client’s disk that stores keys exported from the Key Manager. This cache is used when a key does not exist in the symmetric key cache . Note that CDP only uses the XML protocol to export keys. The key cache is not transferable between users.

Unlike the symmetric key cache, which stores keys in memory, the persistent key cache is saved to disk. When a persistent cache file is created, the file name uses keycache_ as the prefix followed by the NAE username. For example, the cache name for user1 will be: keycache_user1. If the username contains upper case letters, those letters are preceded by #. For example, cache name for MyUser will be: keycache_#my#user.

Symmetric keys can be cached in the persistent cache. All versions other than the retired or wiped version of the key are cached in the persistent cache.

Note

Any key-related changes done on the Key Manager will be reflected only after the Persistent_Cache_Expiry_Keys interval has passed.

copy link to clipboardHow it works

The CDP uses the persistent cache to search for a key if it is not found in symmetric key cache. If the key is not found in persistent cache, then the client connects to Key Manager for the key.

The following scenarios describe how the persistent cache feature works when the client searches for a key in persistent cache

copy link to clipboardScenario 1: The key is not found in the persistent cache

The CDP attempts to connects to Key Manager, if the connection is successful and the key is found, the key is exported and stored in the persistent and the symmetric cache. If the key is not found or connection fails, the application throws an exception.

copy link to clipboardScenario 2: The key is found in the persistent cache

If the key has expired in the persistent cache, the client tries to connect to the server. If the connection is successful, the key's information is updated in the persistent and the symmetric cache. If the connection is successful, but the key is not found on Key Manager, the key is deleted from the persistent cache. If the connection fails, the key's expiry time is updated to that of the next persistent cache expiry interval. The key is copied to the symmetric cache.

Note

  • When the client attempts to connect to Key Manager in the above scenarios, and if the connection fails; the existing key in the persistent cache is not deleted.

  • If the Persistent_Cache_Enabled parameter is set to true, it is recommended to specify the value for the Persistent_Cache_Directory parameter. If directory is not specified, the CDP uses local cache instead of throwing error.

  • If the Key Manager is unreachable, you can tune the connection parameters in the ProtectDB.properties file to reduce the latency.

copy link to clipboardLogging

The server will log all key downloads in the NAE log. The client will log the following actions:

  • enabling persistent key storage

  • key downloads

  • use of downloaded key

  • deletion of key from cache

copy link to clipboardErrors

ProblemSolution
Oracle throws the following exception on the Windows OS:
ORA-29532: Java call terminated by uncaught Java exception:
java.lang.Error:
java.io.IOException: sjonfile_ fileinfo fais to get fileinfo		— For Oracle 12.2, install the following oracle patch:https://updates.oracle.com/download/31740064.html
— For Oracle 18c and 19c, contact the Oracle support.
Key won’t exported to the cacheCheck the key’s exportable setting. Only the exportable keys can be downloaded to the symmetric key and persistent key caches. Check the port configuration. The keys can only be exported only if the port allows download of exported keys.
Can’t create keys when server connection is disrupted.This works as designed. The persistent key cache is not used for creating keys. The CDP can only create keys on the Key Manager.

On this page