Table encryption options and syntax
When a table definition uses an encryption class, all table data except for primary keys is encrypted with a key entry from the dse_system.encrypted_keys table.
If no keys match the cipher_algorithm, secret_key_strength, and system_key_file settings, a new key is created and added to the table.
|
The following syntax only shows encryption options.
All other compression options, such as |
Syntax
COMPRESSION = {
'class' : 'encryption_class'[,
'cipher_algorithm' : 'cipher_algorithm_type'] [,
'secret_key_strength' : length] [,
'system_key_file': 'key_filename'] };Options
encryption_class-
Specifies the encryption type. Use one of the class names from the following table. (Required)
Name Encrypts Compresses Encryptor [1]
Yes
No
EncryptingLZ4Compressor
Yes
Yes
EncryptingDeflateCompressor
Yes
Yes
EncryptingSnappyCompressor
Yes
Yes
[1] When using the Encryptor class, specify a larger young generation heap (the -Xmn parameter) to improve garbage collection (GC). For example, set the size to:
-Xmn1600Mwhen running cassandra-stress. cipher_algorithm_type-
Sets the type of encryption key. DSE supports the following JCE algorithms and corresponding
length. -
- cipher_algorithm[/mode/padding]
-
DSE supports the following JCE cipher algorithms and corresponding length:
-
AES/CBC/PKCS5Padding (valid with length 128, 192, or 256).
-
AES/ECB/PKCS5Padding (valid with length 128, 192, or 256)
-
DES/CBC/PKCS5Padding (valid with length 56)
-
DESede/CBC/PKCS5Padding (valid with length 112 or 168)
-
Blowfish/CBC/PKCS5Padding (valid with length 32-448)
-
RC2/CBC/PKCS5Padding (valid with length 40-128) Default:
AES/CBC/PKCS5Padding(with length 128).
-
-
Default: AES/CBC/PKCS5Padding (with length 128).
length-
Specifies the length of the encryption key.
Default:
128. (Optional) key_filename-
Specifies the file name of the local encryption key used to encrypt the table key. Local keys are specified in
system_key_directoryin dse.yaml.Default:
system_key. (Optional)
