Encrypt tables with Transparent Data Encryption (TDE)
Configure Transparent Data Encryption (TDE) to protect all data in a table, except for the primary key columns. Different tables can use different keys.
|
HCD supports table encryption with keys you create using |
Two keys are used for table encryption:
-
Local encryption key: Encrypts/decrypts internal table encryption key values. Must be created using
nodetool createsystemkey. -
Table encryption key: HCD creates a single key entry in the
hcd_system.encrypted_keystable for each cipher algorithm, key strength, and local encryption key combination that is defined for table encryption.Tables with the same encryption settings use the same encryption key.
Data is encrypted when written to SSTables on disk. Applications can read and write to SSTables that use different encryption algorithms or no encryption at all.
Table encryption options and syntax
When a table definition uses an encryption class, all table data except for primary keys is encrypted with a key entry from the location pointed by the cassandra.system_key_directory JVM flag (/etc/cassandra/conf by default).
If no keys match the cipher_algorithm, secret_key_strength, and system_key_file settings, a new key is created and added to the directory.
|
The following syntax only shows encryption options. |
Syntax
COMPRESSION = {
'class' : '<encryption_class>'[,
'cipher_algorithm' : '<cipher_algorithm_type>'] [,
'secret_key_strength' : <length>] [,
'system_key_file': '<key_filename>'] };Options
-
encryption_classSpecifies the encryption type. HCD supports the
Encryptorclass. (Required)Name Encrypts Compresses Encryptor [1]
Yes
No
[1] When using the Encryptor class, specify a larger young generation heap (the -Xmn parameter) to improve garbage collection (GC).
cipher_algorithm_type-
Sets the type of encryption key. HCD supports the following JCE algorithms and corresponding
length.
include::ROOT:partial$nodetool/create-system-key.adoc[nodetool createsystemkey].
+
Default: system_key.
