Use tools with Transparent Data Encryption (TDE)-encrypted SSTables

This topic explains how to use various tools with SSTables that are encrypted with Transparent Data Encryption (TDE).

When TDE is enabled on your HCD cluster, SSTables are automatically encrypted when written to disk. This encryption is transparent to applications and most administrative operations, but it’s important to understand how various tools interact with encrypted data.

HCD supports encryption via flat-file based keys. With this implementation, tools like sstabledump, sstablerepairedset, and sstableloader work without additional configuration.

Tools that work with TDE-encrypted SSTables

The following tools automatically handle TDE-encrypted SSTables without additional configuration.

sstabledump

The sstabledump tool can read and display the contents of encrypted SSTables. It automatically detects the encryption and uses the system key to decrypt the data.

# Dump contents of an encrypted SSTable
sstabledump /var/lib/cassandra/data/keyspace_name/table_name/table_name-*.db

sstabledump requires access to the system key file used to encrypt the SSTables. Ensure the key file is accessible in the location specified by the system_key_directory configuration.

sstablerepairedset

The sstablerepairedset tool can modify the repair status of encrypted SSTables. This is useful for marking SSTables as repaired or unrepaired during maintenance operations.

# Mark an encrypted SSTable as repaired
sstablerepairedset --really-set --is-repaired /var/lib/cassandra/data/keyspace_name/table_name/table_name-*.db

# Mark an encrypted SSTable as unrepaired
sstablerepairedset --really-set --is-unrepaired /var/lib/cassandra/data/keyspace_name/table_name/table_name-*.db

Always stop HCD before running sstablerepairedset on encrypted SSTables to ensure data consistency.

sstableloader

The sstableloader tool can load encrypted SSTables into a cluster. This is useful for bulk data operations between TDE-enabled clusters.

# Load encrypted SSTables into a cluster
sstableloader /var/lib/cassandra/data/keyspace_name/table_name/

When using sstableloader with encrypted SSTables, ensure that the target cluster has access to the same encryption keys used by the source cluster, or that the target cluster can decrypt the data using its own keys.

Tools with limited access to encrypted data

Some tools cannot directly access encrypted data but operate on unencrypted portions of SSTables.

nodetool

The nodetool utility uses JMX for communication and does not directly access encrypted SSTable data. It operates at the cluster management level rather than the data level.

sstablescrub

The sstablescrub tool operates directly on SSTables but cannot access encrypted data. It can only process unencrypted portions of the files.

sstableutil

The sstableutil tool provides utility functions for SSTables but has limited access to encrypted content.

sstableverify

The sstableverify tool can verify SSTable integrity but cannot validate encrypted data content.

Key management

  • Ensure all nodes in the cluster have access to the same system key files

  • Backup encryption keys regularly and store them securely

  • Use different keys for different environments (development, staging, production)

Tool execution

Before you run tools, always:

  • Stop HCD before running tools that modify SSTable metadata.

  • Verify tool compatibility with your TDE configuration.

  • Test tools in a non-production environment first.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax, an IBM Company | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com