Configure Data Encryption for Cache
Data Encryption for cache can be configured in the following way. Read more about how it works, here.
How to Add or Change KEK and CEK
You can add or change KEK and CEK for both, the remote client and cache server, through either manually editing the configuration file or by using the Command Line tool, as discussed below:
Manually Editing NCache Configuration
- To add or change KEK, update the NCache Service configuration file using the following key-value pair:
<add key="NCacheServer.KeyEncryptionKey" value="[Valid AES 256 KEY]"/>
- Similarly, to add or change CEK, update the NCache Service configuration file using the following key-value pair:
<add key="NCacheServer.CredentialsEncryptionKey" value="[Valid AES 256 KEY]"/>
Important
The NCache Service will not start unless valid KEK and CEK are provided in the NCache Service configuration file.
By default, the NCache installer adds default keys (predefined Encryption keys) to the configuration file. For enhanced security, it is recommended to update the KEK and CEK in the NCache Service configuration file for remote clients or cache servers. After updating the keys, restart the NCache Service and cache processes for the changes to take effect.
Important
The KEK and CEK on a remote client can be different from the server nodes, but all server nodes must use the same KEK and CEK.
Using Command Line Tools
The Set-NCServiceConfigSetting command modifies or adds a key-value pair in the Alachisoft.NCache.Service.dll.config file on NCache servers. If the change is hot-applicable, it takes effect immediately without needing to restart the NCache service. The following commands sets different key-value pairs in theAlachisoft.NCache.Service.dll.config file.
- This command sets the
NCacheServer.EventBulkCountkey-value pair in the Alachisoft.NCache.Service.dll.config file as per your requirement.
Set-NCServiceConfigSetting -Key NCacheServer.EventBulkCount -Value 50
- This command sets the
NCacheServer.EnableCacheLastAccessCountkey-value pair in the Alachisoft.NCache.Service.dll.config file on the server 20.200.20.11.
Set-NCServiceConfigSetting -Key NCacheServer.EnableCacheLastAccessCount -Value false -Server 20.200.20.11
- This command sets the
NCacheServer.EnableCommandThresholdLoggingkey-value pair in the Alachisoft.NCache.Service.dll.config file as per your requirement.
Set-NCServiceConfigSetting -Key NCacheServer.EnableCommandThresholdLogging -Value false
- This command sets the
NCacheServer.EnableCommandThresholdLoggingkey-value pair in the Alachisoft.NCache.Service.dll.config file as per your requirement, using security credentials.
Set-NCServiceConfigSetting -Key NCacheServer.EnableCommandThresholdLogging -Value false -Credentials(Get-Credential john_smith)
These keys are discussed below:
| Keys | Data Types | Value | Description |
|---|---|---|---|
| NCacheServer.EventBulkCount | <String> |
50 | Specifies the number of events grouped and sent together from the server to the client and this bulk size is configurable. This is only available in client version 4124 or above. The default value is 50, and it cannot be set to less than 1. |
| NCacheServer.EnableCacheLastAccessCount | <String> |
False | Enables or disables the collection of LastAccessCount data, which tracks the number of times a cached item was accessed. |
| NCacheServer.EnableCommandThresholdLogging | <String> |
False | The NCacheServer.EnableCommandThresholdLogging controls threshold logging for data source operations (e.g., ReadThru, WriteThru). When enabled, NCache tracks the execution time of operations performed through the data source provider and logs a warning if any operation exceeds the defined CommandExecutionThreshold. |
Configuring Encryption
For an existing cache, Encryption can be enabled in the following steps:
Using the NCache Management Center
Launch the NCache Management Center by browsing to http://localhost:8251 or
<server-ip>:8251.In the left navigation bar, click on Clustered Caches or Local Caches, based on the cache to which Encryption will be configured. Against the cache name, click on View Details.
This opens up the detailed configuration page for the cache. Go to the Advanced Settings tab and click on Security and Encryption in the left bar.
Add Users or Groups in the Authorization section. Please note that you need to enable node security on all cache servers before adding cache users or groups.
Under Encryption, select the Enable Encryption checkbox to enable Encryption.
Select the Encryption provider as per your requirement from the given Providers dropdown list.
- Enter the Encryption key in the Key text box. This is a 32-character key for a 256-bit Encryption algorithm.
Note
Different Encryption providers require different key lengths.
- Click on Save Changes to apply this configuration to the cache.
Note
Encryption can be enabled at the time of cache creation.
Using Command Line Tools
Encryption can also be configured using PowerShell cmdlets to enable and disable Encryption as discussed below.
Enable Encryption
To enable Encryption on your cache server, run the following command. This command enables the Encryption on the cache server 20.200.20.40 for the demoCache.
Enable-NCEncryption -CacheName demoCache -Server 20.200.20.40 -Key ctzXMnyvK2qbZvBZQ3nLrTavQKI9Q9cz -Provider AES256
Disable Encryption
To disable Encryption on your cache server, run the following command. This command disables the Encryption on the cache server 20.200.20.40 for the demoCache.
Manually Editing NCache Configuration
Your config.ncconf will contain the following tag:
<configuration>
...
<encryption enable-encryption="True" key="ctzXMnyvK2qbZvBZQ3nLrTavQKI9Q9cz" provider="AES 256"/>
...
</configuration>
Configure TLS Encryption in NCache
While NCache offers Encryption, simple Encryption doesn't guarantee security without performance costs. NCache requires data to travel for out-of-process communication in various ways based on your setup, such as between servers and clients, different servers, caches, and bridges. You can secure specific communication streams with TLS if needed, based on vulnerability and network security assurance.
See Also
Configure TLS Encryption in NCache
Configure Security for Cache
