Encrypt tables with Transparent Data Encryption (TDE)

Configure Transparent Data Encryption (TDE) to protect all data in a table, except for the primary key columns. Different tables can use different keys.

HCD supports table encryption with keys you create using nodetool createsystemkey.

Two keys are used for table encryption:

  • Local encryption key: Encrypts/decrypts internal table encryption key values. Must be created using nodetool createsystemkey.

  • Table encryption key: HCD creates a single key entry in the hcd_system.encrypted_keys table for each cipher algorithm, key strength, and local encryption key combination that is defined for table encryption.

    Tables with the same encryption settings use the same encryption key.

Data is encrypted when written to SSTables on disk. Applications can read and write to SSTables that use different encryption algorithms or no encryption at all.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax, an IBM Company | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com