Where exactly does NCache perform encryption and decryption?

NCache performs encryption and decryption strictly on the client-side within your application process. This ensures that data is already encrypted before it travels over the network and remains encrypted while at-rest on the cache server, resulting in zero server-side CPU overhead.

Is there a performance overhead when enabling encryption in NCache?

While encryption adds a minor processing layer, using AES algorithms (AES-128/192) results in minimal latency. AES-256 may introduce a negligible 10-20% throughput difference on modern CPUs, whereas legacy 3DES is significantly slower and should be avoided for performance-critical apps.

Which encryption algorithm should I choose for regulatory compliance?

For government or financial sectors requiring FIPS 140-2 validation, choose AES-FIPS 256. For standard enterprise requirements such as GDPR or PCI-DSS, standard AES-256 provides a robust 'Gold Standard' for data protection.

Can I change the encryption algorithm on an existing NCache cache?

Yes. You must stop the cache, update the provider settings in the Management Center (Advanced Settings -> Encryption), and restart. Note that existing data remains in its previous state until re-written; for a full transition, a bulk export/import is recommended.

Does NCache encryption support features like SQL queries and Tags?

Yes, NCache encryption is transparent. It supports all core features including SQL-like queries, tagging, groups, and expiration. The client-side API handles decryption automatically during retrieval, allowing these features to function seamlessly on the secured data.

Data Encryption in NCache

NCache provides an end-to-end data encryption framework that automatically encrypts sensitive data on the client side before it is transmitted and keeps it encrypted while stored in the distributed cache. This ensures data is protected both in-transit and at-rest, allowing only authorized clients with the correct cryptographic keys to decrypt and access the original information. With zero code changes and support for strong industry-standard algorithms such as AES-256, AES-FIPS, and 3DES, NCache helps secure sensitive data and meet compliance requirements like PCI-DSS, HIPAA, and GDPR.

In a distributed environment, caching systems frequently communicate over network channels to transfer data between client applications and remote cache servers. This data travels across the network and resides in the cache in a serialized form, making it vulnerable to interception and eavesdropping, man-in-the-middle, and unauthorized access attacks if it is not encrypted.

Data encryption is a core data-security mechanism in which readable plaintext information is converted into unreadable ciphertext. Only authorized clients possessing the correct cryptographic keys can decrypt the data and access the original information. In simple terms, encryption ensures that even if data is intercepted or accessed illegally, it remains unusable to unauthorized parties.

Data Encryption Algorithms

An encryption algorithm is the method used to transform data into ciphertext. An algorithm uses the encryption key to alter the data in a predictable way so that, even though the encrypted data appears random, it can be turned back into plaintext by using the decryption key.

NCache supports a rich set of standardized encryption algorithms that are nearly impossible to break. This ensures that your sensitive data is really well protected. NCache supports the following encryption algorithms that you can choose from:

Triple Data Encryption Standard (3DES)
Advanced Encryption Standard (AES)
Advanced Encryption Standard - Federal Information Processing Standards (AES-FIPS)

Below are details of each algorithm and its supported variations:

Triple Data Encryption Standard (3DES)

Triple Data Encryption Standard (3DES) is a symmetric-key block cipher algorithm, which applies the DES cipher algorithm three times to each data block. Different variations of the 3DES algorithm supported by NCache are:

3DES-128: 128-bit encryption
3DES-192: 192-bit encryption

Advanced Encryption Standard (AES)

Advanced Encryption Standard (AES) is a symmetric block cipher algorithm with a block/chunk size of 128 bits. It converts these individual blocks using keys of 128, 192, and 256 bits. Once it encrypts these blocks, it joins them together to form the ciphertext. Different variations of the AES algorithm supported by NCache are:

AES-128: 128-bit encryption
AES-192: 192-bit encryption
AES-256: 256-bit encryption

Advanced Encryption Standard - Federal Information Processing Standards (AES-FIPS)

The AES specifies a FIPS-approved cryptographic algorithm that can be used to protect electronic data called Advanced Encryption Standard - Federal Information Processing Standards (AES-FIPS). Different variations of the AES-FIPS algorithm supported by NCache are:

AES-FIPS 128: 128-bit encryption
AES-FIPS 192: 192-bit encryption
AES-FIPS 256: 256-bit encryption

Security Strength Comparison between 3DES and AES

Triple Data Encryption Standard Algorithm (3DES) is a way of using DES encryption three times. But even Triple DES was proven ineffective against brute force attacks (in addition to slowing down the process substantially).

AES data encryption is a more mathematically efficient and elegant cryptographic algorithm, but its main strength rests in the option for various key lengths. AES allows you to choose a 128-bit, 192-bit, or 256-bit key, making it exponentially stronger than the 56-bit key of DES. The larger the key length, the harder it is to break.

Algorithm	Key Length (bytes)
3DES-128	16
3DES-192	24
AES-128	16
AES-192	24
AES-256	32
AES-FIPS 128	16
AES-FIPS 192	24
AES-FIPS 256	32

Performance-wise Comparison between 3DES and AES

Encryption/Decryption time taken by AES is relatively less than 3DES, while both algorithms consume almost the same amount of memory.
The 3DES encryption process is much slower than AES because repeating the same encryption process three times in 3DES takes some time when compared to the AES encryption process, which is much faster.
Processing Time: AES is much faster than 3DES.
Memory Usage: AES and 3DES take nearly the same amount of memory.

Where Encryption Occurs in NCache

NCache data encryption and decryption mostly occur inside your application process. If encryption is enabled for a cache, NCache stores data in the cache in encrypted form.

Once encryption is enabled, the NCache client automatically encrypts your objects before sending them to the cache. And it automatically decrypts objects fetched from the cache, before delivering them to your application. When encryption is enabled, data being added using Cache API, Cache Startup Loader, and Read-through provider is encrypted.

You can enable encryption through the NCache Management Center without any programming effort on your part. To learn how to enable encryption, see Configure Encryption.