Creating a Table with Encryption and Compression

DataStax recommends creating tables with both encryption and compression enabled, using EncryptingLZ4Compressor as the encryption class.

Prerequisites

  • cipher_algorithm[/mode/padding]

    DSE supports the following JCE cipher algorithms:

    • AES/CBC/PKCS5Padding (valid with length 128, 192, or 256).

    • AES/ECB/PKCS5Padding (valid with length 128, 192, or 256)

    • DES/CBC/PKCS5Padding (valid with length 56)

    • DESede/CBC/PKCS5Padding (valid with length 112 or 168)

    • Blowfish/CBC/PKCS5Padding (valid with length 32-448)

    • RC2/CBC/PKCS5Padding (valid with length 40-128) Default value: AES/CBC/PKCS5Padding (with length 128).

Complete the key setup described in Setting up local encryption keys.

When using a local encryption key file, set the location system_key_directory and ensure that the key file is owned by the account running DSE.

Procedure

  1. Change to the keyspace where you want to create the table. The following examples use test as the keyspace name:

    cqlsh
    USE test;

  2. Create the table with encryption and compression.

    The following example encrypts a table named encryption_test using the DESede algorithm, with a key length of 112. Data is compressed using the EncryptingLZ4Compressor compressor.

    A local encryption key called system_key must exist in the directory specified by system_key_directory. This file was created when Setting up local encryption keys.

    If the DSE account does not have read/write permission or the file is missing, an error message Failed to initialize Encryptor displays.

    CREATE TABLE test.encryption_test (d int PRIMARY KEY) WITH COMPRESSION = {
      'class': 'EncryptingLZ4Compressor',
      'cipher_algorithm' : 'DESede/CBC/PKCS5Padding',
      'secret_key_strength' : 112,
      'system_key_file' : 'system_key' };

    See Table encryption options and syntax for more information.

  3. To change the encryption settings, use the ALTER TABLE command and specify the settings to modify.

    The following command changes the encryption key used to encrypt the table data, and modifies the key strength.

    ALTER TABLE test.encryption_test WITH COMPRESSION = {
      'class': 'EncryptingLZ4Compressor',
      'cipher_algorithm' : 'AES/ECB/PKCS5Padding',
      'secret_key_strength' : 128,
      'system_key_file' : 'system_key' };

  4. If you changed encryption settings, run the following command on all nodes in the cluster to rewrite the SSTables using the new encryption key:

    nodetool upgradesstables -a test encryption_test

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com