CT-VL Key Cache
Keys are cached in CT-VL for efficiency and to minimize network latency.
If a key expires (that is, deactivated, compromised, and so on), there is a trade-off that each installation needs to take into account.
Integrity - if this is more important, performance slows down considerably given that network transmission is orders of magnitude slower than accessing data in memory.
Performance - if this is more important, there will be a small integrity sacrifice.
Determining Key Cache Expiration Time
CT-VL key cache has a default expiration time of 300 seconds. However, the expiration time also depends on whether the key is in use for a session or not.
Note
If a key id has the
:refreshattribute appended to it, it will clear both local and cryptod caches. But calling it on every request would degrade its performance, although importantly integrity is preserved.The strategy that can be used to find out remaining expiration time is to look at the
deactivation_dateattribute and figure how much time is available until the next rotation.
Automatic vs Manual Key Rotation Process
Automatic Key Rotation
A way to ensure that the key isn't expired is to do a GET on the key, and look at the deactivation_date attribute value. When you are close to expiration time, append the :refresh attribute until you see a different date in the future.
Manual Key Rotation
The creation_date can be used to calculate a deactivation date if you have a manual rotation process, and you know how long the key will last. As it is manual, you may want to do refreshes for a grater period of time until you see a new creation date.
Once out of the rotation risk zone, drop the :refresh, and you will get better throughput at these times.
There are no performance numbers for key operations, since the original assumption is that keys and their states do not change that often. CipherTrust Cryptographic operations do perform a key fetch internally if not cached.
