Encrypt table data with KMIP keys
Encrypt data stored in a table using a Key Management Interoperability Protocol (KMIP
) key.
Prerequisites
Complete the steps in Adding a KMIP
host.
If any of the defined |
Use the hcd.yaml
file to encrypt table data
-
Locate the
hcd.yaml
configuration file. The location of this file depends on the type of installation:-
Package installations:
/etc/hcd/hcd.yaml
-
Tarball installations:
<installation_location>/resources/hcd/conf/hcd.yaml
-
-
To create a new encrypted table using a key from a
KMIP
server:-
Encryption without compression:
CREATE TABLE customers ... WITH COMPRESSION = { 'class': 'Encryptor', 'key_provider': 'KmipKeyProviderFactory', 'kmip_host': 'kmip_group_name' ['key_keyspace': 'kmip_keyspace'], 'cipher_algorithm': 'AES/ECB/PKCS5Padding', 'secret_key_strength': 128 };
-
'key_provider': 'KmipKeyProviderFactory'
tells the encryptor to use aKMIP
key server to manage its encryption keys. Include the'key provider'
entry only to specify to use aKMIP
key server, otherwise omit this entry. -
'kmip_host': 'kmip_group_name' ['key_keyspace': 'kmip_keyspace'] specify an optional
KMIP
keyspace. Use keyspaces to allow granular management of keys on a per table or keyspace basis.
-
-
Compression and encryption:
CREATE TABLE customers ... WITH COMPRESSION = { 'class': 'EncryptingDeflateCompressor', 'key_provider': 'KmipKeyProviderFactory', 'kmip_host': 'kmip_group_name', 'cipher_algorithm': 'AES/ECB/PKCS5Padding', 'secret_key_strength': 128 };
-
-
To encrypt a pre-existing table:
-
Change the table compression settings:
-
Encryption without compression:
ALTER TABLE customers ... WITH COMPRESSION = { 'class': 'Encryptor', 'key_provider': 'KmipKeyProviderFactory', 'kmip_host': 'kmip_group_name' ['key_keyspace': 'kmip_keyspace'], 'cipher_algorithm': 'AES/ECB/PKCS5Padding', 'secret_key_strength': 128 };
-
'key_provider': 'KmipKeyProviderFactory'
tells the encryptor to use aKMIP
key server to manage its encryption keys. Include the'key provider'
entry only to specify to use aKMIP
key server, otherwise omit this entry. -
['key_keyspace': 'kmip_keyspace'] specify an optional
KMIP
keyspace. Use keyspaces to allow granular management of keys on a per table or keyspace basis.
-
-
Compression and encryption:
ALTER TABLE customers ... WITH COMPRESSION = { 'class': 'EncryptingDeflateCompressor', 'key_provider': 'KmipKeyProviderFactory', 'kmip_host': 'kmip_group_name', 'cipher_algorithm': 'AES/ECB/PKCS5Padding', 'secret_key_strength': 128 };
-
-
Encrypt existing data on all nodes in the cluster:
nodetool upgradesstables -a [keyspace_name [table_name[ tablename]...]
-