Untitled | DataStax Enterprise

Encrypting table data

Encrypt data stored in a table data using a KMIP key.

Primary keys are stored in plain text. Do not put sensitive information in partition key or clustering columns.

Prerequisites

Complete the steps in Adding a KMIP host.

If any of the defined KMIP groups are not available, DSE startup fails.

Procedure

To create a new encrypted table using a key from a KMIP server:
- Encryption without compression:
  CREATE TABLE customers ... WITH COMPRESSION = { 'class': 'Encryptor', 'key_provider': 'KmipKeyProviderFactory', 'kmip_host': '<kmip_group_name>' ['key_namespace' = '<kmip_namespace>'], 'cipher_algorithm': 'AES/ECB/PKCS5Padding', 'secret_key_strength': 128 };
  - 'key_provider': 'KmipKeyProviderFactory' tells the encryptor to use a KMIP key server to manage its encryption keys. Include the 'key provider' entry only to specify to use a KMIP key server, otherwise omit this entry.
  - 'kmip_host': '<kmip_group_name>' specifies the user-defined KMIP key server group name defined in the 'kmip_hosts' section of dse.yaml.
  - 'kmip_host': '<kmip_group_name>' ['key_namespace' = '<kmip_namespace>'] specify an optional KMIP namespace. Using namespaces allows you to granularly manage keys on a per table or keyspace basis.
- Compression and encryption:
  CREATE TABLE customers ... WITH COMPRESSION = { 'class': 'EncryptingDeflateCompressor', 'key_provider': 'KmipKeyProviderFactory', 'kmip_host': '<kmip_group_name>', 'cipher_algorithm': 'AES/ECB/PKCS5Padding', 'secret_key_strength': 128 };
To encrypt an already existing table:
1. Change the table compression settings:
  - Encryption without compression:
    
    ALTER TABLE customers ... WITH COMPRESSION = { 'class': 'Encryptor', 'key_provider': 'KmipKeyProviderFactory', 'kmip_host': '<kmip_group_name>' ['key_namespace' = '<kmip_namespace>'], 'cipher_algorithm': 'AES/ECB/PKCS5Padding', 'secret_key_strength': 128 };
    
    'key_provider': 'KmipKeyProviderFactory' tells the encryptor to use a KMIP key server to manage its encryption keys. Include the 'key provider' entry only to specify to use a KMIP key server, otherwise omit this entry.
    
    'kmip_host': '<kmip_group_name>' specifies the user-defined KMIP key server group name defined in the kmip_hosts section of dse.yaml.
    
    ['key_namespace' = '<kmip_namespace>'] specify an optional KMIP namespace. Using namespaces allows you to granularly manage keys on a per table or keyspace basis.
  - Compression and encryption:
    
    ALTER TABLE customers ... WITH COMPRESSION = { 'class': 'EncryptingDeflateCompressor', 'key_provider': 'KmipKeyProviderFactory', 'kmip_host': '<kmip_group_name>', 'cipher_algorithm': 'AES/ECB/PKCS5Padding', 'secret_key_strength': 128 };
2. Encrypt existing data on all nodes in the cluster:
```
nodetool upgradesstables -a [<keyspace_name> [<table_name>[ <tablename>]...]
```

Encrypting table data

Prerequisites

Procedure

Was this helpful?

Give Feedback