• Glossary
  • Support
  • Downloads
  • DataStax Home
Get Live Help
Expand All
Collapse All

DataStax Enterprise 6.8 Security Guide

    • About DSE Advanced Security
    • Security FAQs
    • Security checklists
    • Securing the environment
      • Securing ports
      • Securing the TMP directory
    • Authentication and authorization
      • Configuring authentication and authorization
        • About DSE Unified Authentication
          • Steps for new deployment
          • Steps for production environments
        • Configuring security keyspaces
        • Setting up Kerberos
          • Kerberos guidelines
          • Enabling JCE Unlimited
            • Removing AES-256
          • Preparing DSE nodes for Kerberos
            • DNS and NTP
            • krb5.conf
            • Principal
            • Keytab
        • Enabling authentication and authorization
          • Defining a Kerberos scheme
          • Defining an LDAP scheme
        • Configuring JMX authentication
        • Configuring cache settings
        • Securing schema information
      • Managing database access
        • About RBAC
        • Setting up logins and users
          • Adding a superuser login
          • Adding database users
          • LDAP users and groups
            • LDAP logins
            • LDAP groups
          • Kerberos principal logins
          • Setting up roles for applications
          • Binding a role to an authentication scheme
        • Assigning permissions
          • Database object permissions
            • Data resources
            • Functions and aggregate resources
            • Search indexes
            • Roles
            • Proxy login and execute
            • Authentication schemes
            • DSE Utilities (MBeans)
            • Analytic applications
            • Remote procedure calls
          • Separation of duties
          • Keyspaces and tables
          • Row Level Access Control (RLAC)
          • Search index permissions
          • DataStax Graph keyspace
          • Spark application permissions
          • DataStax Studio permissions
          • Remote procedure calls
          • DSE client-tool spark
          • JMX MBean permissions
          • Deny (denylist) db object permission
          • Restricting access to data
      • Providing credentials from DSE tools
        • About clients
        • Internal and LDAP authentication
          • Command line
          • File
          • Environment variables
          • Using CQLSH
        • Kerberos
          • JAAS configuration file location
          • Keytab
          • Ticket Cache
          • Spark jobs
          • SSTableLoader
          • Graph and gremlin-console
          • dsetool
          • CQLSH
        • Nodetool
        • JConsole
    • Auditing database activity
      • Enabling database auditing
      • Capturing DSE Search HTTP requests
      • Log formats
      • View events from DSE audit table
    • Transparent data encryption
      • About Transparent Data Encryption
      • Configuring local encryption
        • Setting up local encryption keys
        • Encrypting configuration file properties
        • Encrypting system resources
        • Encrypting tables
        • Rekeying existing data
        • Using tools with TDE-encrypted SSTables
        • Troubleshooting encryption key errors
      • Configuring KMIP encryption
      • Encrypting Search indexes
        • Encrypting new Search indexes
        • Encrypting existing Search indexes
        • Tuning encrypted Search indexes
      • Migrating encrypted tables from earlier versions
      • Bulk loading data between TDE-enabled clusters
    • Configuring SSL
      • Steps for configuring SSL
      • Creating SSL certificates, keystores, and truststores
        • Remote keystore provider
        • Local keystore files
      • Securing node-to-node connections
      • Securing client-to-node connections
        • Configuring JMX on the server side
        • nodetool, nodesync, dsetool, and Advanced Replication
        • JConsole (JMX)
        • SSTableloader
        • Connecting to SSL-enabled nodes using cqlsh
      • Enabling SSL encryption for DSEFS
      • Reference: SSL instruction variables
    • Securing Spark connections
  • DataStax Enterprise 6.8 Security Guide
  • Transparent data encryption
  • Configuring local encryption
  • Encrypting tables

Encrypting Tables

Configure Transparent Data Encryption (TDE) to protect all data in a table, except for the primary key columns. Different tables can use different keys.

When Transparent Data Encryption (TDE) is enabled, starting in DSE 6.8, all header data in indexes are encrypted including partition keys in SSTable indexes. This feature is designed to protect sensitive data that might be present in the primary key. Consequently, DSE cannot access SSTables that are not decryptable. When non-decryptable SSTables are present, DSE issues an error message during startup. If the error is ignored because the disk failure policy is specified as either ignore or best_effort, then DSE skips the non-decryptable SSTable and therefore ignores its content on queries without issuing a warning or error.

Two keys are used for table encryption:

  • Local encryption key: Encrypts/decrypts internal table encryption key values.

  • Table encryption key: DSE creates a single key entry in the dse_system.encrypted_keys table for each cipher algorithm, key strength, and local encryption key combination that is defined for table encryption.

    Tables with the same encryption settings use the same encryption key.

    Data is encrypted when written to SSTables on disk. Applications can read and write to SSTables that use different encryption algorithms or no encryption at all.

Creating a Table with Encryption and Compression

DataStax recommends creating tables with both encryption and compression enabled, using EncryptingLZ4Compressor as the encryption class.

Prerequisites

  • cipher_algorithm[/mode/padding]

    DSE supports the following JCE cipher algorithms:

    • AES/CBC/PKCS5Padding (valid with length 128, 192, or 256).

    • AES/ECB/PKCS5Padding (valid with length 128, 192, or 256)

    • DES/CBC/PKCS5Padding (valid with length 56)

    • DESede/CBC/PKCS5Padding (valid with length 112 or 168)

    • Blowfish/CBC/PKCS5Padding (valid with length 32-448)

    • RC2/CBC/PKCS5Padding (valid with length 40-128) Default value: AES/CBC/PKCS5Padding (with length 128).

Complete the key setup described in Setting up local encryption keys.

When using a local encryption key file, set the location system_key_directory and ensure that the key file is owned by the account running DSE.

Procedure

  1. Change to the keyspace where you want to create the table. The following examples use test as the keyspace name:

    cqlsh
    USE test;

  2. Create the table with encryption and compression.

    The following example encrypts a table named encryption_test using the DESede algorithm, with a key length of 112. Data is compressed using the EncryptingLZ4Compressor compressor.

    A local encryption key called system_key must exist in the directory specified by system_key_directory. This file was created when Setting up local encryption keys.

    If the DSE account does not have read/write permission or the file is missing, an error message Failed to initialize Encryptor displays.

    CREATE TABLE test.encryption_test (d int PRIMARY KEY) WITH COMPRESSION = {
      'class': 'EncryptingLZ4Compressor',
      'cipher_algorithm' : 'DESede/CBC/PKCS5Padding',
      'secret_key_strength' : 112,
      'system_key_file' : 'system_key' };

    See Table encryption options and syntax for more information.

  3. To change the encryption settings, use the ALTER TABLE command and specify the settings to modify.

    The following command changes the encryption key used to encrypt the table data, and modifies the key strength.

    ALTER TABLE test.encryption_test WITH COMPRESSION = {
      'class': 'EncryptingLZ4Compressor',
      'cipher_algorithm' : 'AES/ECB/PKCS5Padding',
      'secret_key_strength' : 128,
      'system_key_file' : 'system_key' };

  4. If you changed encryption settings, run the following command on all nodes in the cluster to rewrite the SSTables using the new encryption key:

    nodetool upgradesstables -a test encryption_test

Table Encryption Options and Syntax

When a table definition uses an encryption class, all table data except for primary keys is encrypted with a key entry from the dse_system.encrypted_keys table. If no keys match the cipher_algorithm, secret_key_strength, and system_key_file settings, a new key is created and added to the table.

The following syntax only shows encryption options. All other compression options, such as chunk_length_in_kb, are also available.

Syntax

COMPRESSION = {
  'class' : '<encryption_class>'[,
  'cipher_algorithm' : '<cipher_algorithm_type>'] [,
  'secret_key_strength' : <length>] [,
  'system_key_file': '<key_filename>'] };

Options

  • encryption_class

    Specifies the encryption type. Use one of the class names from the following table. (Required)

    Name Encrypts Compresses

    Encryptor [1]

    Yes

    No

    EncryptingLZ4Compressor

    Yes

    Yes

    EncryptingDeflateCompressor

    Yes

    Yes

    EncryptingSnappyCompressor

    Yes

    Yes

    [1] When using the Encryptor class, specify a larger young generation heap (the -Xmn parameter) to improve garbage collection (GC). For example, set the size to: -Xmn1600M when running cassandra-stress.
    cipher_algorithm_type

    Sets the type of encryption key. DSE supports the following JCE algorithms and corresponding length.

  • cipher_algorithm[/mode/padding]

    DSE supports the following JCE cipher algorithms:

    • AES/CBC/PKCS5Padding (valid with length 128, 192, or 256).

    • AES/ECB/PKCS5Padding (valid with length 128, 192, or 256)

    • DES/CBC/PKCS5Padding (valid with length 56)

    • DESede/CBC/PKCS5Padding (valid with length 112 or 168)

    • Blowfish/CBC/PKCS5Padding (valid with length 32-448)

    • RC2/CBC/PKCS5Padding (valid with length 40-128) Default value: AES/CBC/PKCS5Padding (with length 128).

      length

      Specifies the length of the encryption key.

      Default: 128. (Optional)

      key_filename

      Specifies the file name of the local encryption key used to encrypt the table key. Local keys are specified in system_key_directory.

      Default: system_key. (Optional)

Encrypting system resources Rekeying existing data

General Inquiries: +1 (650) 389-6000 info@datastax.com

© DataStax | Privacy policy | Terms of use

DataStax, Titan, and TitanDB are registered trademarks of DataStax, Inc. and its subsidiaries in the United States and/or other countries.

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.

Kubernetes is the registered trademark of the Linux Foundation.

landing_page landingpage