Encrypting table data with KMIP encryption keys

How to encrypt table data using keys that are provided by a KMIP key server.

Designate transparent data encryption (TDE) on a per table basis. Using encryption, your application can read and write to SSTables that use different encryption algorithms or use no encryption at all.

You must login as a superuser to encrypt data. For example:

$ cqlsh -u cassandra -p cassandra

Procedure

  1. To encrypt table data using keys that are provided by a KMIP key server, without compression:
    CREATE TABLE customers 
      ...
      WITH COMPRESSION =
      { 'sstable_compression': 'Encryptor',
      'key_provider': 'KmipKeyProviderFactory',  
      'kmip_host': 'kmip_group1', 
      'cipher_algorithm': 'AES/ECB/PKCS5Padding',
      'secret_key_strength': 128 };
    • 'key_provider': 'KmipKeyProviderFactory' tells the encryptor to use a KMIP key server to manage its encryption keys. Include the 'key provider' entry only to specify to use a KMIP key server, otherwise omit this entry.
    • 'kmip_host': 'kmip_group1' specifies the user-defined KMIP key server group named kmip_group1 that is set in the kmip_hosts section in dse.yaml.
    To encrypt table data using keys that are provided by a KMIP key server, and use compression, specify a compression algorithm such as the EncryptingDeflateCompressor compressor:
    ALTER TABLE customers 
      ...
      WITH COMPRESSION =
      { 'sstable_compression': 'EncryptingDeflateCompressor',
      'key_provider': 'KmipKeyProviderFactory',
      'kmip_host': 'kmip_group2',
      'cipher_algorithm': 'AES/ECB/PKCS5Padding',
      'secret_key_strength': 128 };
  2. After you alter a table for encryption, force a re-write of existing SSTables into encrypted format:
    $ nodetool upgradesstables -a