Transparent data encryption 

Transparent data encryption (TDE) protects at rest data. TDE requires a secure local file system to be effective.

Transparent data encryption (TDE) protects at rest data. At rest data is data that has been stored on disk.



As shown in the diagram, data stored in the commit log is not encrypted. If you need commit log encryption, store the commit log on an OS-level encrypted file system using a security product such as Vormetric. Data can be encrypted using different algorithms, or not at all. SSTable data files are immutable after they have been flushed to disk and encrypted only once when they are written to disk.

The Cassandra File System (CFS) is accessed as part of the Hadoop File System (HDFS) using the configured authentication. If you encrypt the CFS keyspace's sblocks and inode tables, all CFS data is encrypted.

Requirements 

TDE requires a secure local file system to be effective. Encryption certificates are stored off-server with KMIP encryption or locally with on-server encryption.

TDE limitations and recommendations 

Data is not directly protected by TDE when you access the data using the following utilities.

Utility Reason utility is not encrypted
json2sstable Operates directly on the SSTables.
nodetool Uses only JMX, so data is not accessed.
sstable2json Operates directly on the SSTables.
sstablekeys Operates directly on the SSTables.
sstableloader Operates directly on the SSTables.
sstablescrub Operates directly on the SSTables.

Compression and encryption introduce performance overhead.

TDE options 

To get the full capabilities of TDE, download and install the Java Cryptography Extension (JCE), unzip the jar files and place them under $JAVA_HOME/jdk/lib/security. JCE-based products are restricted for export to certain countries by the U.S. Export Administration Regulations.