Encrypting table data with KMIP encryption keys  

How to encrypt table data using keys that are provided by a KMIP key server.

Designate transparent data encryption (TDE) on a per table basis. Using encryption, your application can read and write to SSTables that use different encryption algorithms or use no encryption at all. You must login as a superuser to encrypt data. For example:

$ cqlsh -u cassandra -p cassandra

To encrypt table data using keys that are provided by a KMIP key server, without compression:

CREATE TABLE customers 
  ...
  WITH COMPRESSION =
  { 'sstable_compression': 'Encryptor',
  'key_provider': 'KmipKeyProviderFactory',  
  'kmip_host': 'kmip_group1', 
  'cipher_algorithm': 'AES/ECB/PKCS5Padding',
  'secret_key_strength': 128 };
  • 'key_provider': 'KmipKeyProviderFactory' tells the encryptor to use a KMIP key server to manage its encryption keys. Include the 'key provider' entry only to specify to use a KMIP key server, otherwise omit this entry.
  • 'kmip_host': 'kmip_group1' specifies the user-defined the KMIP key server group named kmip_group1 that is set in the kmip_hosts section in dse.yaml.

To encrypt table data using keys that are provided by a KMIP key server, and use compression, specify a compression algorithm such as the EncryptingDeflateCompressor compressor:

ALTER TABLE customers 
  ...
  WITH COMPRESSION =
  { 'sstable_compression': 'EncryptingDeflateCompressor',
  'key_provider': 'KmipKeyProviderFactory',
  'kmip_host': 'kmip_group2',
  'cipher_algorithm': 'AES/ECB/PKCS5Padding',
  'secret_key_strength': 128 };
The location of the dse.yaml file depends on the type of installation:
Installer-Services /etc/dse/dse.yaml
Package installations /etc/dse/dse.yaml
Installer-No Services install_location/resources/dse/conf/dse.yaml
Tarball installations install_location/resources/dse/conf/dse.yaml