Encrypting table data with KMIP encryption keys
How to encrypt table data using keys that are provided by a KMIP key server.
Designate transparent data encryption (TDE) on a per table basis. Using encryption, your
application can read and write to SSTables that use different encryption algorithms or use no
encryption at all.
Warning: Primary keys are stored in plain text. Do NOT put
sensitive information in partition key or clustering columns.
You must login as a
superuser to encrypt data. For example:cqlsh -u cassandra -p cassandra
To encrypt table data using keys that are provided by a KMIP key server, without compression:
CREATE TABLE customers
...
WITH COMPRESSION =
{ 'sstable_compression': 'Encryptor',
'key_provider': 'KmipKeyProviderFactory',
'kmip_host': 'kmip_group1',
'cipher_algorithm': 'AES/ECB/PKCS5Padding',
'secret_key_strength': 128 };
-
'key_provider': 'KmipKeyProviderFactory'
tells the encryptor to use a KMIP key server to manage its encryption keys. Include the'key provider'
entry only to specify to use a KMIP key server, otherwise omit this entry. 'kmip_host': 'kmip_group1'
specifies the user-defined the KMIP key server group named kmip_group1 that is set in the kmip_hosts section in dse.yaml.
To encrypt table data using keys that are provided by a KMIP key server, and use compression, specify a compression algorithm such as the EncryptingDeflateCompressor compressor:
ALTER TABLE customers
...
WITH COMPRESSION =
{ 'sstable_compression': 'EncryptingDeflateCompressor',
'key_provider': 'KmipKeyProviderFactory',
'kmip_host': 'kmip_group2',
'cipher_algorithm': 'AES/ECB/PKCS5Padding',
'secret_key_strength': 128 };
The location of the dse.yaml file depends on the
type of installation:
Installer-Services | /etc/dse/dse.yaml |
Package installations | /etc/dse/dse.yaml |
Installer-No Services | install_location/resources/dse/conf/dse.yaml |
Tarball installations | install_location/resources/dse/conf/dse.yaml |