Encrypt table data with KMIP keys

Encrypt data stored in a table using a Key Management Interoperability Protocol (KMIP) key.

Prerequisites

Complete the steps in Adding a KMIP host.

If any of the defined KMIP groups are not available, HCD startup fails.

Use the hcd.yaml file to encrypt table data

  1. Locate the hcd.yaml configuration file. The location of this file depends on your installation type.

    • Package installations

    • Tarball installations

    /etc/hcd/hcd.yaml
    INSTALLATION_LOCATION/resources/hcd/conf/hcd.yaml

    Replace INSTALLATION_LOCATION with the path where you extracted the HCD tarball.

  2. To create a new encrypted table using a key from a KMIP server:

    • Encryption without compression:

      CREATE TABLE customers
  ...
  WITH COMPRESSION =
  { 'class': 'Encryptor',
  'key_provider': 'KmipKeyProviderFactory',
  'kmip_host': 'kmip_group_name'
    ['key_keyspace': 'kmip_keyspace'],
  'cipher_algorithm': 'AES/ECB/PKCS5Padding',
  'secret_key_strength': 128 };

      • 'key_provider': 'KmipKeyProviderFactory' tells the encryptor to use a KMIP key server to manage its encryption keys. Include the 'key provider' entry only to specify to use a KMIP key server, otherwise omit this entry.

      • 'kmip_host': 'kmip_group_name' specifies the user-defined KMIP key server group name defined in the kmip_hosts section of the hcd.yaml file.

      • 'kmip_host': 'kmip_group_name' ['key_keyspace': 'kmip_keyspace'] specify an optional KMIP keyspace. Use keyspaces to allow granular management of keys on a per table or keyspace basis.

    • Compression and encryption:

      CREATE TABLE customers
  ...
  WITH COMPRESSION =
  { 'class': 'EncryptingDeflateCompressor',
  'key_provider': 'KmipKeyProviderFactory',
  'kmip_host': 'kmip_group_name',
  'cipher_algorithm': 'AES/ECB/PKCS5Padding',
  'secret_key_strength': 128 };

  3. To encrypt a pre-existing table:

    1. Change the table compression settings:

      • Encryption without compression:

        ALTER TABLE customers
  ...
  WITH COMPRESSION =
  { 'class': 'Encryptor',
  'key_provider': 'KmipKeyProviderFactory',
  'kmip_host': 'kmip_group_name'
    ['key_keyspace': 'kmip_keyspace'],
  'cipher_algorithm': 'AES/ECB/PKCS5Padding',
  'secret_key_strength': 128 };

        • 'key_provider': 'KmipKeyProviderFactory' tells the encryptor to use a KMIP key server to manage its encryption keys. Include the 'key provider' entry only to specify to use a KMIP key server, otherwise omit this entry.

        • 'kmip_host': 'kmip_group_name' specifies the user-defined KMIP key server group name defined in the kmip_hosts section of the hcd.yaml file.

        • ['key_keyspace': 'kmip_keyspace'] specify an optional KMIP keyspace. Use keyspaces to allow granular management of keys on a per table or keyspace basis.

      • Compression and encryption:

        ALTER TABLE customers
  ...
  WITH COMPRESSION =
  { 'class': 'EncryptingDeflateCompressor',
  'key_provider': 'KmipKeyProviderFactory',
  'kmip_host': 'kmip_group_name',
  'cipher_algorithm': 'AES/ECB/PKCS5Padding',
  'secret_key_strength': 128 };

    2. Encrypt existing data on all nodes in the cluster:

    nodetool upgradesstables -a [keyspace_name [table_name[ tablename]...]

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax, an IBM Company | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com