Transparent Data Encryption (TDE) for DataStax Enterprise (DSE)
Mission Control supports the Transparent Data Encryption (TDE) feature of DSE. Apache Cassandra® does not have this feature.
To apply TDE, do the following:
-
Generate an encryption or decryption key file by running the following
dsetool
command:dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 tde.key -d .
-
Store the key file in a secret in the same namespace as the cluster:
kubectl create secret generic tde-secret --from-file=/path/to/tde.key --from-file=tde.key -n NAMESPACE
Replace
NAMESPACE
with the namespace of the cluster. -
Create or update a
MissionControlCluster
resource that references the secret as additional volume and mount it into thecassandra
container. -
Add the volume by adding a
volume
section to theextraVolumes
section of theMissionControlCluster
spec under.spec.k8ssandra.cassandra
:apiVersion: missioncontrol.datastax.com/v1beta2 kind: MissionControlCluster metadata: name: test namespace: <namespace> spec: createIssuer: true k8ssandra: cassandra: ... ... extraVolumes: volumes: - name: tde-key secret: secretName: tde-secret
-
Mount the encryption key file into the
cassandra
container:apiVersion: missioncontrol.datastax.com/v1beta2 kind: MissionControlCluster metadata: name: test namespace: <namespace> spec: createIssuer: true k8ssandra: cassandra: ... ... containers: - name: "cassandra" volumeMounts: - name: tde-key mountPath: /var/tde
-
Add the corresponding settings in the
dse.yaml
configuration file:apiVersion: missioncontrol.datastax.com/v1beta2 kind: MissionControlCluster metadata: name: test namespace: <namespace> spec: createIssuer: true k8ssandra: cassandra: ... ... config: ... dseYaml: system_key_directory: /var/tde config_encryption_key_name: tde.key
-
When these steps are completed the resulting
MissionControlCluster
spec looks like this:apiVersion: missioncontrol.datastax.com/v1beta2 kind: MissionControlCluster metadata: name: test namespace: <namespace> spec: createIssuer: true k8ssandra: cassandra: serverVersion: 6.8.36 serverType: dse storageConfig: cassandraDataVolumeClaimSpec: storageClassName: standard accessModes: - ReadWriteOnce resources: requests: storage: 5Gi networking: hostNetwork: true config: jvmOptions: heapSize: 8Gi dseYaml: system_key_directory: /var/tde config_encryption_key_name: tde.key containers: - name: "cassandra" volumeMounts: - name: tde-key mountPath: /var/tde datacenters: - metadata: name: dc1 size: 3 resources: requests: cpu: 16000m memory: 32Gi extraVolumes: volumes: - name: tde-key secret: secretName: tde-secret
-
An encrypted table can then be created through CQLSH as follows:
test-superuser@cqlsh> CREATE KEYSPACE test WITH replication = {'class': 'NetworkTopologyStrategy', 'dc1': 3}; test-superuser@cqlsh> CREATE TABLE test.encryption_test (id int PRIMARY KEY, val text) WITH COMPRESSION = { ... 'class': 'EncryptingLZ4Compressor', ... 'cipher_algorithm' : 'AES/ECB/PKCS5Padding', ... 'secret_key_strength' : 128, ... 'system_key_file' : 'tde.key' };
-
Access this table by running the usual commands. For example:
test-superuser@cqlsh> INSERT INTO test.encryption_test (id, val) VALUES ( 1, 'test'); test-superuser@cqlsh> SELECT * FROM test.encryption_test ... ;
Sample results
id | val ----+------ 1 | test