Caching column encryption keys improves performance by eliminating the overhead associated with fetching and decrypting the keys for the same data multiple times. For security purposes, the driver empties keys from the cache at the end of a connection; however, depending on the security needs of your environment, you may not want to store keys in the cache at all. You can determine whether the driver caches column encryption keys by specifying the following values for the Key Cache Time To Live (AEKeyCacheTTL) option:
If set to -1, the driver caches column encryption keys on a per connection basis. The keys remain in the cache until the connection is closed or the application exits.
If set to 0, the driver does not cache column encryption keys.
By default, the driver caches column encryption keys on a per connection basis (AEKeyCacheTTL=-1). The driver caches keys only when Always Encrypted is enabled (ColumnEncryption=Enabled | ResultsetOnly). See "Key Cache Time To Live" for details.