Use tools with Transparent Data Encryption (TDE)-encrypted SSTables
This topic explains how to use various tools with SSTables that are encrypted with Transparent Data Encryption (TDE).
When TDE is enabled on your HCD cluster, SSTables are automatically encrypted when written to disk. This encryption is transparent to applications and most administrative operations, but it’s important to understand how various tools interact with encrypted data.
HCD supports encryption via flat-file based keys.
With this implementation, tools like sstabledump
, sstablerepairedset
, and sstableloader
work without additional configuration.
Tools that work with TDE-encrypted SSTables
The following tools automatically handle TDE-encrypted SSTables without additional configuration.
sstabledump
The sstabledump
tool can read and display the contents of encrypted SSTables.
It automatically detects the encryption and uses the system key to decrypt the data.
# Dump contents of an encrypted SSTable
sstabledump /var/lib/cassandra/data/keyspace_name/table_name/table_name-*.db
sstabledump
requires access to the system key file used to encrypt the SSTables.
Ensure the key file is accessible in the location specified by the system_key_directory
configuration.
sstablerepairedset
The sstablerepairedset
tool can modify the repair status of encrypted SSTables. This is useful for marking SSTables as repaired or unrepaired during maintenance operations.
# Mark an encrypted SSTable as repaired
sstablerepairedset --really-set --is-repaired /var/lib/cassandra/data/keyspace_name/table_name/table_name-*.db
# Mark an encrypted SSTable as unrepaired
sstablerepairedset --really-set --is-unrepaired /var/lib/cassandra/data/keyspace_name/table_name/table_name-*.db
Always stop HCD before running |
sstableloader
The sstableloader
tool can load encrypted SSTables into a cluster.
This is useful for bulk data operations between TDE-enabled clusters.
# Load encrypted SSTables into a cluster
sstableloader /var/lib/cassandra/data/keyspace_name/table_name/
When using sstableloader
with encrypted SSTables, ensure that the target cluster has access to the same encryption keys used by the source cluster, or that the target cluster can decrypt the data using its own keys.
Tools with limited access to encrypted data
Some tools cannot directly access encrypted data but operate on unencrypted portions of SSTables.
nodetool
The nodetool
utility uses JMX for communication and does not directly access encrypted SSTable data.
It operates at the cluster management level rather than the data level.
sstablescrub
The sstablescrub
tool operates directly on SSTables but cannot access encrypted data.
It can only process unencrypted portions of the files.
sstableutil
The sstableutil
tool provides utility functions for SSTables but has limited access to encrypted content.
sstableverify
The sstableverify
tool can verify SSTable integrity but cannot validate encrypted data content.
Key management
-
Ensure all nodes in the cluster have access to the same system key files
-
Backup encryption keys regularly and store them securely
-
Use different keys for different environments (development, staging, production)
Tool execution
Before you run tools, always:
-
Stop HCD before running tools that modify SSTable metadata.
-
Verify tool compatibility with your TDE configuration.
-
Test tools in a non-production environment first.