Transparent Data Encryption (TDE)
|
DataStax Mission Control is currently in Public Preview. DataStax Mission Control is not intended for production use, has not been certified for production workloads, and might contain bugs and other functional issues. There is no guarantee that DataStax Mission Control will ever become generally available. DataStax Mission Control is provided on an “AS IS” basis, without warranty or indemnity of any kind. If you are interested in trying out DataStax Mission Control please join the Public Preview. |
DataStax Mission Control supports the Transparent Data Encryption (TDE) feature of DSE.
-
Generate an encryption or decryption key file by running the following
dsetoolcommand:dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 tde.key -d . -
Store the key file in a secret in the same namespace as the cluster:
kubectl create secret generic tde-secret --from-file=/path/to/tde.key --from-file=tde.key -n <namespace> -
Create (or update) a
MissionControlClusterresource that references the secret as additional volume and mount it into thecassandracontainer. -
Add the volume by adding a
volumesection to theextraVolumessection of theMissionControlClusterspec under.spec.k8ssandra.cassandra:apiVersion: missioncontrol.datastax.com/v1beta1 kind: MissionControlCluster metadata: name: test namespace: <namespace> spec: createIssuer: true k8ssandra: cassandra: ... ... extraVolumes: volumes: - name: tde-key secret: secretName: tde-secret -
Mount the encryption key file into the
cassandracontainer:apiVersion: missioncontrol.datastax.com/v1beta1 kind: MissionControlCluster metadata: name: test namespace: <namespace> spec: createIssuer: true k8ssandra: cassandra: ... ... containers: - name: "cassandra" volumeMounts: - name: tde-key mountPath: /var/tde annieden marked this conversation as resolved. -
The final step is to add the corresponding settings in the
dse.yamlconfiguration file:apiVersion: missioncontrol.datastax.com/v1beta1 kind: MissionControlCluster metadata: name: test namespace: <namespace> spec: createIssuer: true k8ssandra: cassandra: ... ... config: ... dseYaml: system_key_directory: /var/tde config_encryption_key_name: tde.key -
When these steps are completed the resulting
MissionControlClusterspec looks like this:apiVersion: missioncontrol.datastax.com/v1beta1 kind: MissionControlCluster metadata: name: test namespace: <namespace> spec: createIssuer: true k8ssandra: cassandra: serverVersion: 6.8.36 serverType: dse storageConfig: cassandraDataVolumeClaimSpec: storageClassName: standard accessModes: - ReadWriteOnce resources: requests: storage: 5Gi networking: hostNetwork: true config: jvmOptions: heapSize: 8Gi dseYaml: system_key_directory: /var/tde config_encryption_key_name: tde.key containers: - name: "cassandra" volumeMounts: - name: tde-key mountPath: /var/tde datacenters: - metadata: name: dc1 size: 3 resources: requests: cpu: 16000m memory: 32Gi extraVolumes: volumes: - name: tde-key secret: secretName: tde-secret -
An encrypted table can then be created through CQLSH as follows:
test-superuser@cqlsh> CREATE KEYSPACE test WITH replication = {'class': 'NetworkTopologyStrategy', 'dc1': 3}; test-superuser@cqlsh> CREATE TABLE test.encryption_test (id int PRIMARY KEY, val text) WITH COMPRESSION = { ... 'class': 'EncryptingLZ4Compressor', ... 'cipher_algorithm' : 'AES/ECB/PKCS5Padding', ... 'secret_key_strength' : 128, ... 'system_key_file' : 'tde.key' }; -
Access this table by running the usual commands. For example:
-
cqlshcommand -
Sample result
test-superuser@cqlsh> INSERT INTO test.encryption_test (id, val) VALUES ( 1, 'test'); test-superuser@cqlsh> SELECT * FROM test.encryption_test ... ;id | val ----+------ 1 | test -
