How to encrypt table data using keys that are provided by a KMIP key server.
Designate transparent data encryption (TDE) on a per table basis. Using
encryption, your application can read and write to SSTables that use different encryption
algorithms or use no encryption at all.
Warning: Primary keys are stored in plain
text. Do NOT put sensitive information in partition key or clustering columns.
You must login as a superuser to encrypt data. For example:
cqlsh -u cassandra -p cassandra
Procedure
-
To encrypt table data using keys that are provided by a KMIP
key server, without compression:
CREATE TABLE customers
...
WITH COMPRESSION =
{ 'sstable_compression': 'Encryptor',
'key_provider': 'KmipKeyProviderFactory',
'kmip_host': 'kmip_group1',
'cipher_algorithm': 'AES/ECB/PKCS5Padding',
'secret_key_strength': 128 };
-
'key_provider': 'KmipKeyProviderFactory'
tells the
encryptor to use a KMIP key server to manage its encryption keys.
Include the 'key provider'
entry only to specify to use
a KMIP key server, otherwise omit this entry.
'kmip_host': 'kmip_group1'
specifies the user-defined KMIP key server group named
kmip_group1 that is set in the kmip_hosts
section in .
To encrypt table data using keys that are provided by a KMIP key server,
and use compression, specify a compression algorithm such as the
EncryptingDeflateCompressor
compressor:
ALTER TABLE customers
...
WITH COMPRESSION =
{ 'sstable_compression': 'EncryptingDeflateCompressor',
'key_provider': 'KmipKeyProviderFactory',
'kmip_host': 'kmip_group2',
'cipher_algorithm': 'AES/ECB/PKCS5Padding',
'secret_key_strength': 128 };
-
After you alter a table for encryption, force a re-write of existing SSTables
into encrypted format:
nodetool upgradesstables -a