Transparent Data Encryption (TDE) for DataStax Enterprise (DSE)

Mission Control supports the Transparent Data Encryption (TDE) feature of DSE. Apache Cassandra® does not have this feature.

To apply TDE, do the following:

  1. Generate an encryption or decryption key file by running the following dsetool command:

    dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 tde.key -d .
  2. Store the key file in a secret in the same namespace as the cluster:

    kubectl create secret generic tde-secret --from-file=/path/to/tde.key --from-file=tde.key -n NAMESPACE

    Replace NAMESPACE with the namespace of the cluster.

  3. Create or update a MissionControlCluster resource that references the secret as additional volume and mount it into the cassandra container.

  4. Add the volume by adding a volume section to the extraVolumes section of the MissionControlCluster spec under .spec.k8ssandra.cassandra:

    apiVersion: missioncontrol.datastax.com/v1beta2
    kind: MissionControlCluster
    metadata:
      name: test
      namespace: <namespace>
    spec:
      createIssuer: true
      k8ssandra:
        cassandra:
          ...
          ...
          extraVolumes:
            volumes:
                - name: tde-key
                  secret:
                    secretName: tde-secret
  5. Mount the encryption key file into the cassandra container:

    apiVersion: missioncontrol.datastax.com/v1beta2
    kind: MissionControlCluster
    metadata:
      name: test
      namespace: <namespace>
    spec:
      createIssuer: true
      k8ssandra:
        cassandra:
          ...
          ...
          containers:
            - name: "cassandra"
              volumeMounts:
                - name: tde-key
                  mountPath: /var/tde
  6. Add the corresponding settings in the dse.yaml configuration file:

    apiVersion: missioncontrol.datastax.com/v1beta2
    kind: MissionControlCluster
    metadata:
      name: test
      namespace: <namespace>
    spec:
      createIssuer: true
      k8ssandra:
        cassandra:
          ...
          ...
          config:
            ...
            dseYaml:
              system_key_directory: /var/tde
              config_encryption_key_name: tde.key
  7. When these steps are completed the resulting MissionControlCluster spec looks like this:

    apiVersion: missioncontrol.datastax.com/v1beta2
    kind: MissionControlCluster
    metadata:
      name: test
      namespace: <namespace>
    spec:
      createIssuer: true
      k8ssandra:
        cassandra:
          serverVersion: 6.8.36
          serverType: dse
          storageConfig:
            cassandraDataVolumeClaimSpec:
              storageClassName: standard
              accessModes:
                - ReadWriteOnce
              resources:
                requests:
                  storage: 5Gi
          networking:
            hostNetwork: true
          config:
            jvmOptions:
              heapSize: 8Gi
            dseYaml:
              system_key_directory: /var/tde
              config_encryption_key_name: tde.key
          containers:
            - name: "cassandra"
              volumeMounts:
                - name: tde-key
                  mountPath: /var/tde
          datacenters:
            - metadata:
                name: dc1
              size: 3
              resources:
                requests:
                  cpu: 16000m
                  memory: 32Gi
          extraVolumes:
            volumes:
              - name: tde-key
                secret:
                  secretName: tde-secret
  8. An encrypted table can then be created through CQLSH as follows:

    test-superuser@cqlsh> CREATE KEYSPACE test WITH replication = {'class': 'NetworkTopologyStrategy', 'dc1': 3};
    test-superuser@cqlsh> CREATE TABLE test.encryption_test (id int PRIMARY KEY, val text) WITH COMPRESSION = {
       ...       'class': 'EncryptingLZ4Compressor',
       ...       'cipher_algorithm' : 'AES/ECB/PKCS5Padding',
       ...       'secret_key_strength' : 128,
       ...       'system_key_file' : 'tde.key' };
  9. Access this table by running the usual commands. For example:

    test-superuser@cqlsh> INSERT INTO test.encryption_test (id, val) VALUES ( 1, 'test');
    test-superuser@cqlsh> SELECT * FROM test.encryption_test
       ... ;
    Sample results
     id | val
    ----+------
      1 | test

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com