Encrypting table data

Encrypt data stored in a table using a Key Management Interoperability Protocol (KMIP) key.

Starting with DSE 6.8, when Transparent Data Encryption (TDE) is enabled, all header data in indexes are encrypted, including partition keys in SSTable indexes. This feature is designed to protect sensitive data that might be present in the primary key. Consequently, DSE cannot access SSTables that are not decryptable.

When non-decryptable SSTables are present, DSE issues an error message during startup. If the error is ignored because the disk failure policy is specified as either ignore or best_effort, then DSE skips the non-decryptable SSTable and therefore ignores its content on queries without issuing a warning or error.

Prerequisites

Complete the steps in Adding a KMIP host.

If any of the defined KMIP groups are not available, DSE startup fails.

Procedure

Locate the dse.yaml configuration file. The location of this file depends on the type of installation:
- Package installations: /etc/dse/dse.yaml
- Tarball installations: <installation_location>/resources/dse/conf/dse.yaml
To create a new encrypted table using a key from a KMIP server:
- Encryption without compression:
  CREATE TABLE customers ... WITH COMPRESSION = { 'class': 'Encryptor', 'key_provider': 'KmipKeyProviderFactory', 'kmip_host': 'kmip_group_name' ['key_namespace': 'kmip_namespace'], 'cipher_algorithm': 'AES/ECB/PKCS5Padding', 'secret_key_strength': 128 };
  - 'key_provider': 'KmipKeyProviderFactory' tells the encryptor to use a KMIP key server to manage its encryption keys. Include the 'key provider' entry only to specify to use a KMIP key server, otherwise omit this entry.
  - 'kmip_host': 'kmip_group_name' specifies the user-defined KMIP key server group name defined in the kmip_hosts section of the dse.yaml file.
  - 'kmip_host': 'kmip_group_name' ['key_namespace': 'kmip_namespace'] specify an optional KMIP namespace. Use namespaces to allow granular management of keys on a per table or keyspace basis.
- Compression and encryption:
  CREATE TABLE customers ... WITH COMPRESSION = { 'class': 'EncryptingDeflateCompressor', 'key_provider': 'KmipKeyProviderFactory', 'kmip_host': 'kmip_group_name', 'cipher_algorithm': 'AES/ECB/PKCS5Padding', 'secret_key_strength': 128 };
To encrypt a pre-existing table:
1. Change the table compression settings:
  - Encryption without compression:
    
    ALTER TABLE customers ... WITH COMPRESSION = { 'class': 'Encryptor', 'key_provider': 'KmipKeyProviderFactory', 'kmip_host': 'kmip_group_name' ['key_namespace': 'kmip_namespace'], 'cipher_algorithm': 'AES/ECB/PKCS5Padding', 'secret_key_strength': 128 };
    
    'key_provider': 'KmipKeyProviderFactory' tells the encryptor to use a KMIP key server to manage its encryption keys. Include the 'key provider' entry only to specify to use a KMIP key server, otherwise omit this entry.
    
    'kmip_host': 'kmip_group_name' specifies the user-defined KMIP key server group name defined in the kmip_hosts section of the dse.yaml file.
    
    ['key_namespace': 'kmip_namespace'] specify an optional KMIP namespace. Use namespaces to allow granular management of keys on a per table or keyspace basis.
  - Compression and encryption:
    
    ALTER TABLE customers ... WITH COMPRESSION = { 'class': 'EncryptingDeflateCompressor', 'key_provider': 'KmipKeyProviderFactory', 'kmip_host': 'kmip_group_name', 'cipher_algorithm': 'AES/ECB/PKCS5Padding', 'secret_key_strength': 128 };
2. Encrypt existing data on all nodes in the cluster:
```
nodetool upgradesstables -a [keyspace_name [table_name[ tablename]...]
```

Encrypting table data

Prerequisites

Procedure

Was this helpful?

Give Feedback