Abstract: Disclosed techniques relate to storing a key cache within a secure enclave. In some embodiments, a computing system receives, from an application, a request to access a database, where the request is associated with a particular account. The computing system then accesses, using an identifier associated with the particular account, a key cache stored in a secure enclave of a memory of the computing system to determine at least one private key associated with the request, where the key cache stores private keys of a key management system (KMS) for a plurality of accounts. The computing system performs a cryptographic operation for accessing the database within the secure enclave using the at least one private key. In various embodiments, disclosed techniques may improve the security of cryptographic private keys cached for a plurality of tenants.

Abstract: Disclosed techniques relate to caching tenant encryption keys for a multi-tenant database. In some embodiments, a computing system encrypts data for a database in a multi-tenant database system using encryption keys assigned to respective tenants that are using the database. The computing system may store the encryption keys in a cache and, in response to a key rotation request for a first tenant, invalidate an entry in the cache for the first encryption key of the first tenant. The computing system may block writes for the first tenant until a new key is cached (e.g., based on retrieval from a key management system). In various embodiments, disclosed techniques may reduce encryption latency.

Abstract: Disclosed techniques relate to storing a key cache within a secure enclave. In some embodiments, a computing system receives, from an application, a request to access a database, where the request is associated with a particular account. The computing system then accesses, using an identifier associated with the particular account, a key cache stored in a secure enclave of a memory of the computing system to determine at least one private key associated with the request, where the key cache stores private keys of a key management system (KMS) for a plurality of accounts. The computing system performs a cryptographic operation for accessing the database within the secure enclave using the at least one private key. In various embodiments, disclosed techniques may improve the security of cryptographic private keys cached for a plurality of tenants.

Abstract: Disclosed techniques relate to caching tenant encryption keys for a multi-tenant database. In some embodiments, a computing system encrypts data for a database in a multi-tenant database system using encryption keys assigned to respective tenants that are using the database. The computing system may store the encryption keys in a cache and, in response to a key rotation request for a first tenant, invalidate an entry in the cache for the first encryption key of the first tenant. The computing system may block writes for the first tenant until a new key is cached (e.g., based on retrieval from a key management system). In various embodiments, disclosed techniques may reduce encryption latency.