receiving, in the data stream, an optimized, encrypted file and a corresponding set of encrypted indices comprising unique identifiers that categorize the optimized, encrypted file;

using the set of encrypted indices and a particular encryption key to decompose the optimized, encrypted file and to identify (i) a set of full encrypted segments that comprise a first portion of the encrypted file and (ii) a set of encrypted values that comprise a second portion of the encrypted file, wherein each encrypted value in the set of encrypted values maps to a respective segment stored in a segment cache at the second site;

for each encrypted value in the set of encrypted values, retrieving the respective segment from the segment cache; and

using the identified set of full segments and set of retrieved segments to reconstruct the encrypted file;

wherein the gateway router comprises a first gateway router and the public cloud comprises a first public cloud, wherein receiving the optimized, encrypted file from the first site comprises receiving the optimized, encrypted file from a second gateway router that is deployed to a second gateway cloud to perform a set of WAN optimization operations on the data stream originating from a source device at the first site and to forward the optimized data stream to a destination device at the second site.