Transparent data encryption 

Transparent data encryption (TDE) protects at-rest data. TDE requires a secure local file system to be effective.

Transparent data encryption (TDE) protects at-rest data. At-rest data is data that has been saved to disk.

Data can be encrypted using different algorithms, or not at all. SSTable data files are immutable after they have been flushed to disk and encrypted only once when they are written to disk.

Commit logs 

The Cassandra commit log is encrypted when system encryption is enabled. See Configuring encryption.

The Solr commit log is encrypted when the backing Cassandra table for the Solr core is encrypted. See Configuring encryption per table (TDE).

Data that is not encrypted 

At-rest data that is not encrypted includes Cassandra files other than commitlog and SSTable data files, DSEFS data files, and Spark spill files.

Requirements 

TDE requires a secure local file system to be effective. Encryption certificates are stored off-server with KMIP encryption or locally with on-server encryption.

TDE limitations and recommendations 

Data is not directly protected by TDE when you access the data using the following utilities.

Utility Reason utility is not encrypted
nodetool Uses only JMX, so data is not accessed.
sstableloader Operates directly on the SSTables.
sstablescrub Operates directly on the SSTables.
sstableutil Operates directly on the SSTables.
sstableverify Operates directly on the SSTables.

Compression and encryption introduce performance overhead.

TDE options 

To get the full capabilities of TDE and to ensure full algorithm support, install JCE.

The location of the dse.yaml file depends on the type of installation:
Installer-Services /etc/dse/dse.yaml
Package installations /etc/dse/dse.yaml
Installer-No Services install_location/resources/dse/conf/dse.yaml
Tarball installations install_location/resources/dse/conf/dse.yaml