Transparent data encryption
Transparent data encryption (TDE) protects at rest data. TDE requires a secure local file system to be effective.
Transparent data encryption (TDE) protects at rest data. At rest data is data that has been flushed from the memtable in system memory to the SSTables on disk.
As shown in the diagram, data stored in the commit log is not encrypted. If you need commit log encryption, store the commit log on an OS-level encrypted file system using a security product such as Vormetric. Data can be encrypted using different algorithms, or not at all. SSTable data files are immutable after they have been flushed to disk and encrypted only once when they are written to disk.
The Cassandra File System (CFS) is accessed as part of the Hadoop File System (HDFS) using the configured authentication. If you encrypt the CFS keyspace's sblocks and inode tables, all CFS data is encrypted.
Requirements
TDE requires a secure local file system to be effective. Encryption certificates are stored off-server with KMIP encryption or locally with on-server encryption.
Limitations and recommendations
Data is not directly protected by TDE when you access the data using the following utilities.
| Utility | Reason utility is not encrypted |
|---|---|
| json2sstable | Operates directly on the SSTables. |
| nodetool | Uses only JMX, so data is not accessed. |
| sstable2json | Operates directly on the SSTables. |
| sstablekeys | Operates directly on the SSTables. |
| sstableloader | Operates directly on the SSTables. |
| sstablescrub | Operates directly on the SSTables. |
Compression and encryption introduce performance overhead.
Options
To get the full capabilities of TDE, download and install the Java Cryptography Extension (JCE), unzip the jar files and place them under $JAVA_HOME/jdk/lib/security. JCE-based products are restricted for export to certain countries by the U.S. Export Administration Regulations.