Configuring encryption per table (TDE)
Configure transparent data encryption (TDE) on a per table basis. You can configure encryption with or without compression.
You must login as a superuser to encrypt data. For example:
cqlsh -u cassandra -p cassandra
Example of configuring encryption per table
sudo dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 system_key $ sudo dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 system_key_2Verify that the system keys have read write permissions:
la -l -rw------- 1 cassandra cassandra 50 May 19 10:54 system_key -rw------- 1 cassandra cassandra 50 May 19 11:20 system_key_2Create a table that specifies to use the system_key_2 file as the encryption key for this specific table:
create table users (name text PRIMARY key, bio text )
with compression = { 'sstable_compression' : 'EncryptingSnappyCompressor',
'cipher_algorithm' : 'AES/ECB/PKCS5Padding',
'secret_key_strength' : 128,
'chunk_length_kb' : 128,
'system_key_file':'system_key_2' };
Encrypting table data with encryption and compression
CREATE TABLE users
...
WITH compression =
{ 'sstable_compression' : 'EncryptingSnappyCompressor',
'cipher_algorithm' : 'AES/ECB/PKCS5Padding',
'secret_key_strength' : 128,
'chunk_length_kb' : 128 };
nodetool upgradesstables -a
Encrypting table data with encryption, but no compression
When setting up data to be encrypted, but not compressed, set the chunk_length_kb option to the lowest possible value. Setting this option to a low value such as 1 improves read performance by limiting the data that needs to be decrypted for each read operation to 1 KB.
Encryption/compression options and sub-options
Using encryption, your application can read and write to SSTables that use different encryption algorithms or no encryption at all. Using different encryption algorithms to encrypt SSTable data is similar to using different compression algorithms to compress data.
Encryptor | Encrypts table data. |
EncryptingDeflateCompressor | Encrypts table data using the Deflate compression algorithm. |
EncryptingLZ4Compressor | Encrypts table data using the LZ4 compression algorithm. |
EncryptingSnappyCompressor | Encrypts table data and uses Snappy compression algorithm. |
DeflateCompressor | Does not encrypt table data, uses Deflate compression algorithm. |
SnappyCompressor | Does not encrypt table data, uses Snappy compression algorithm. |
LZ4Compressor (default) | Does not encrypt table data, uses LZ4 compression algorithm. |
For example if running cassandra-stress, set : -Xmn1600M. The encryption and compression sub-options are:
cipher-algorithm sub-option
When Java Cryptography Extension (JCE) is installed, the cipher_algorithm options and acceptable secret_key_strength values for the algorithms are:cipher_algorithm | secret_key_strength |
---|---|
AES/CBC/PKCS5Padding | 128, 192, or 256 |
AES/ECB/PKCS5Padding | 128, 192, or 256 |
DES/CBC/PKCS5Padding | 56 |
DESede/CBC/PKCS5Padding | 112 or 168 |
Blowfish/CBC/PKCS5Padding | 32-448 |
RC2/CBC/PKCS5Padding | 40-128 |
- sstable_compression = EncryptingDeflateCompressor
- cipher_algorithm = 'AES/CBC/PKCS5Padding'
- secret_key_strength = 256
- chunk_length_kb = 128
- key_provider = KmipKeyProviderFactory
- kmip_host = kmip_group2
You can install custom providers for your JVM. The AES-512 is not supported out-of the box.
- key_provider
- Specify KmipKeyProviderFactory to use the KMIP key server for encryption.
- kmip_host
- The name of the KMIP key server group set in the kmip_hosts section in dse.yaml.
- The key location sub-option
-
Create global encryption keys using the dsetool createsystemkey command. You can create a global encryption key in the location that is specified by system_key_directory in the dse.yaml file. This default global encryption key is used when the system_key_file subproperty is not specified.
To use a specific encryption key, use:'system_key_file':'name_of_system_key_file'
- The chunk_length_kb sub-option
-
On disk, SSTables are encrypted and compressed by block (to allow random reads). This subproperty of compression defines the size (in KB) of the block and is a power of 2. Values larger than the default value might improve the compression rate, but increases the minimum size of data to be read from disk when a read occurs. While the default value (64) is a good middle-ground for compressing tables, the maximum key size for Data Encryption Standard (DES) is 64 and the maximum key size for all other encryption algorithms is 128. For stronger encryption, install Java Cryptography Extension (JCE).
Using just encryption and no compression, the size of SSTables are larger than they would be if you combined compression. During creation of the table, DataStax Enterprise looks for the system key as specified in dse.yaml. You do not need to specify the location of keytab file that contains the system key.
- The iv_length sub-option
-
Not all algorithms allow you to set this sub-option, and most complain if it is not set to 16 bytes. Either use 16 or accept the default.
The syntax for setting this sub-option is similar to setting a compression algorithm to compress data.
ALTER TABLE users ... WITH compression = { 'sstable_compression' : 'EncryptingSnappyCompressor', 'cipher_algorithm' : 'AES/ECB/PKCS5Padding', 'secret_key_strength' : 128, 'iv_length' : 16 };
Using SolrJ Auth to implement encryption
To use the SolrJ-Auth libraries to implement encryption, follow instructions in the solrj-auth-README.md file.
Debian installations | /usr/share/doc/dse-libsolr* |
RHEL-based installations | /usr/share/doc/dse-libsolr |
Binary installations | resources/solr |
These SolrJ-Auth libraries are included in the clients directory in DataStax Enterprise distribution. The SolrJ-Auth code is public.
Debian installations | /usr/share/dse/clients |
Binary installations | install_location/clients |