Encrypting Tables
Configure Transparent Data Encryption (TDE) to protect all data in a table, except for the primary key columns. Different tables can use different keys.
|
When Transparent Data Encryption (TDE) is enabled, starting in DataStax Enterprise (DSE) 6.8, all header data in indexes are encrypted, including partition keys in SSTable indexes.
This feature is designed to protect sensitive data that might be present in the primary key. Consequently, DSE cannot access SSTables that are not decryptable.
When non-decryptable SSTables are present, DSE issues an error message during startup.
If the error is ignored because the disk failure policy is specified as either |
Two keys are used for table encryption:
-
Local encryption key: Encrypts/decrypts internal table encryption key values.
-
Table encryption key: DSE creates a single key entry in the
dse_system.encrypted_keystable for each cipher algorithm, key strength, and local encryption key combination that is defined for table encryption.Tables with the same encryption settings use the same encryption key.
Data is encrypted when written to SSTables on disk. Applications can read and write to SSTables that use different encryption algorithms or no encryption at all.
Creating a Table with Encryption and Compression
DataStax recommends creating tables with both encryption and compression enabled, using EncryptingLZ4Compressor as the encryption class.
Prerequisites
-
cipher_algorithm[/mode/padding]
DSE supports the following
JCEcipher algorithms:-
AES/CBC/PKCS5Padding (valid with length 128, 192, or 256).
-
AES/ECB/PKCS5Padding (valid with length 128, 192, or 256)
-
DES/CBC/PKCS5Padding (valid with length 56)
-
DESede/CBC/PKCS5Padding (valid with length 112 or 168)
-
Blowfish/CBC/PKCS5Padding (valid with length 32-448)
-
RC2/CBC/PKCS5Padding (valid with length 40-128) Default value:
AES/CBC/PKCS5Padding(with length 128).
-
Complete the key setup described in Setting up local encryption keys.
|
When using a local encryption key file, set the location system_key_directory and ensure that the key file is owned by the account running DSE. |
Procedure
-
Change to the keyspace where you want to create the table. The following examples use
testas the keyspace name:cqlshUSE test; -
Create the table with encryption and compression.
The following example encrypts a table named
encryption_testusing theDESedealgorithm, with a key length of112. Data is compressed using theEncryptingLZ4Compressorcompressor.A local encryption key called
system_keymust exist in the directory specified by system_key_directory. This file was created when Setting up local encryption keys.If the DSE account does not have read/write permission or the file is missing, an error message Failed to initialize Encryptor displays.
CREATE TABLE test.encryption_test (d int PRIMARY KEY) WITH COMPRESSION = { 'class': 'EncryptingLZ4Compressor', 'cipher_algorithm' : 'DESede/CBC/PKCS5Padding', 'secret_key_strength' : 112, 'system_key_file' : 'system_key' };See Table encryption options and syntax for more information.
-
To change the encryption settings, use the
ALTER TABLEcommand and specify the settings to modify.The following command changes the encryption key used to encrypt the table data, and modifies the key strength.
ALTER TABLE test.encryption_test WITH COMPRESSION = { 'class': 'EncryptingLZ4Compressor', 'cipher_algorithm' : 'AES/ECB/PKCS5Padding', 'secret_key_strength' : 128, 'system_key_file' : 'system_key' }; -
If you changed encryption settings, run the following command on all nodes in the cluster to rewrite the SSTables using the new encryption key:
nodetool upgradesstables -a test encryption_test
Table Encryption Options and Syntax
When a table definition uses an encryption class, all table data except for primary keys is encrypted with a key entry from the dse_system.encrypted_keys table.
If no keys match the cipher_algorithm, secret_key_strength, and system_key_file settings, a new key is created and added to the table.
|
The following syntax only shows encryption options.
All other compression options, such as |
Syntax
COMPRESSION = {
'class' : '<encryption_class>'[,
'cipher_algorithm' : '<cipher_algorithm_type>'] [,
'secret_key_strength' : <length>] [,
'system_key_file': '<key_filename>'] };Options
-
encryption_classSpecifies the encryption type. Use one of the class names from the following table. (Required)
Name Encrypts Compresses Encryptor [1]
Yes
No
EncryptingLZ4Compressor
Yes
Yes
EncryptingDeflateCompressor
Yes
Yes
EncryptingSnappyCompressor
Yes
Yes
[1] When using the Encryptor class, specify a larger young generation heap (the
-Xmnparameter) to improve garbage collection (GC). For example, set the size to:-Xmn1600Mwhen runningcassandra-stress.cipher_algorithm_type-
Sets the type of encryption key. DSE supports the following JCE algorithms and corresponding
length.
-
cipher_algorithm[/mode/padding]
DSE supports the following
JCEcipher algorithms:-
AES/CBC/PKCS5Padding (valid with length 128, 192, or 256).
-
AES/ECB/PKCS5Padding (valid with length 128, 192, or 256)
-
DES/CBC/PKCS5Padding (valid with length 56)
-
DESede/CBC/PKCS5Padding (valid with length 112 or 168)
-
Blowfish/CBC/PKCS5Padding (valid with length 32-448)
-
RC2/CBC/PKCS5Padding (valid with length 40-128) Default value:
AES/CBC/PKCS5Padding(with length 128).length-
Specifies the length of the encryption key.
Default:
128. (Optional) key_filename-
Specifies the file name of the local encryption key used to encrypt the table key. Local keys are specified in
system_key_directory.Default:
system_key. (Optional)
-
