Encrypt a table with flat-file based encryption key

This guide demonstrates how to encrypt a table using a flat-file based encryption key in HCD.

Prerequisites

HCD cluster is running
You have access to nodetool and cqlsh
JCE Unlimited is enabled (required for encryption algorithms)

Create an encryption key

First, create an encryption key using the nodetool createsystemkey command:

nodetool createsystemkey AES/CBC/PKCS5Padding 128

This command creates a 128-bit AES key using CBC mode with PKCS5Padding. The key is saved to /etc/cassandra/conf/system_key by default.

Result

Successfully created key /etc/cassandra/conf/system_key

Create a keyspace

Create a keyspace to hold your encrypted table:

CREATE KEYSPACE IF NOT EXISTS ks WITH REPLICATION = {'class':'SimpleStrategy','replication_factor':'1'};

Create an encrypted table

Create a table with encryption enabled. The encryption parameters must match the key you created:

CREATE TABLE ks.tbl (id text, value text, PRIMARY KEY (id))
WITH compression = {
  'class' : 'Encryptor',
  'cipher_algorithm' : 'AES/ECB/PKCS5Padding',
  'secret_key_strength' : 128,
  'key_provider' : 'LocalFileSystemKeyProviderFactory',
  'secret_key_file': '/etc/cassandra/conf/system_key'
};

The cipher_algorithm and secret_key_strength must match the parameters used when creating the key with nodetool createsystemkey.

Verify the table

Verify that your table was created with encryption:

DESCRIBE TABLE ks.tbl;

You should see the encryption options in the table definition.

What happens next

All data written to the table (except primary keys) is automatically encrypted
Data is encrypted when written to SSTables on disk
Applications can read and write to the table normally - encryption is transparent
The encryption key file must be accessible to all nodes in the cluster