How is the RKM client cache encrypted?
--------------------------------
How are keys in cache protected?
--------------------------------
DEK = Data Encryption Key received from RKM Server
PASSWORD = Cache password
SALT = random bytes
ITERATIONS = randomly generated between 1000 and 2000
KEK = PBKDF2(PASSWORD, SALT, ITERATIONS) = Key Encryption Key
KEKIV = random bytes = Key Encryption Key Initialization Vector
DEKHASH = concat(DEK, hash(DEK)) = Concatenation of DEK and its hash for integrity check
CEK = random bytes = Cache Encryption Key
CEKIV = random bytes = Cache Encryption Key Initialization Vector
CEKHMAC = concat(CEK, hmac(CEK, KEK)) = Concatenation of CEK and its HMAC, for integrity check
-------------------
What's in the cache
-------------------
KM_Security_table.iteration_count = ITERATIONS
KM_Security_table.salt = base64_encode(SALT)
KM_Security_table.kek_iv = base64_encode(KEKIV)
KM_Security_table.cek_iv = base64_encode(CEKIV)
KM_Security_table.cek = base64_encode(aes_encrypt(CEKHMAC using KEK and KEKIV))
KM_Key_Table.key = base64_encode(aes_encrypt(DEKHASH using CEK and CEKIV))
Related Articles
Emergency Bug Fix 112194 Number of Views When re-imaging SA.1.3 via idrac and getting error "copy of uudecode failed" Number of Views Disk Usage Threshold Alert Number of Views Parsing Old Messages Against A New XML Number of Views How to Move the NIC App Server in an enVision 4.0 Multi-Site Number of Views
Trending Articles
Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory Mandatory Certificate Upgrade Required by 6th October 2025 for RSA MFA Agent for PAM, RSA MFA Agent for Apache, and Third … RSA Authentication Manager 8.9 Release Notes (January 2026)
