Transparent Data Encryption (TDE) for DSE

Mission Control supports the Transparent Data Encryption (TDE) feature of DSE. Apache Cassandra® does not have this feature.

Generate an encryption or decryption key file by running the following dsetool command:
```
dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 tde.key -d .
```

Store the key file in a secret in the same namespace as the cluster:

kubectl create secret generic tde-secret --from-file=/path/to/tde.key --from-file=tde.key -n <namespace>

Create (or update) a MissionControlCluster resource that references the secret as additional volume and mount it into the cassandra container.

Add the volume by adding a volume section to the extraVolumes section of the MissionControlCluster spec under .spec.k8ssandra.cassandra:

apiVersion: missioncontrol.datastax.com/v1beta1
kind: MissionControlCluster
metadata:
  name: test
  namespace: <namespace>
spec:
  createIssuer: true
  k8ssandra:
    cassandra:
      ...
      ...
      extraVolumes:
        volumes:
            - name: tde-key
              secret:
                secretName: tde-secret

Mount the encryption key file into the cassandra container:

apiVersion: missioncontrol.datastax.com/v1beta1
kind: MissionControlCluster
metadata:
  name: test
  namespace: <namespace>
spec:
  createIssuer: true
  k8ssandra:
    cassandra:
      ...
      ...
      containers:
        - name: "cassandra"
          volumeMounts:
            - name: tde-key
              mountPath: /var/tde
annieden marked this conversation as resolved.

The final step is to add the corresponding settings in the dse.yaml configuration file:

apiVersion: missioncontrol.datastax.com/v1beta1
kind: MissionControlCluster
metadata:
  name: test
  namespace: <namespace>
spec:
  createIssuer: true
  k8ssandra:
    cassandra:
      ...
      ...
      config:
        ...
        dseYaml:
          system_key_directory: /var/tde
          config_encryption_key_name: tde.key

When these steps are completed the resulting MissionControlCluster spec looks like this:

apiVersion: missioncontrol.datastax.com/v1beta1
kind: MissionControlCluster
metadata:
  name: test
  namespace: <namespace>
spec:
  createIssuer: true
  k8ssandra:
    cassandra:
      serverVersion: 6.8.36
      serverType: dse
      storageConfig:
        cassandraDataVolumeClaimSpec:
          storageClassName: standard
          accessModes:
            - ReadWriteOnce
          resources:
            requests:
              storage: 5Gi
      networking:
        hostNetwork: true
      config:
        jvmOptions:
          heapSize: 8Gi
        dseYaml:
          system_key_directory: /var/tde
          config_encryption_key_name: tde.key
      containers:
        - name: "cassandra"
          volumeMounts:
            - name: tde-key
              mountPath: /var/tde
      datacenters:
        - metadata:
            name: dc1
          size: 3
          resources:
            requests:
              cpu: 16000m
              memory: 32Gi
      extraVolumes:
        volumes:
          - name: tde-key
            secret:
              secretName: tde-secret

An encrypted table can then be created through CQLSH as follows:

test-superuser@cqlsh> CREATE KEYSPACE test WITH replication = {'class': 'NetworkTopologyStrategy', 'dc1': 3};
test-superuser@cqlsh> CREATE TABLE test.encryption_test (id int PRIMARY KEY, val text) WITH COMPRESSION = {
   ...       'class': 'EncryptingLZ4Compressor',
   ...       'cipher_algorithm' : 'AES/ECB/PKCS5Padding',
   ...       'secret_key_strength' : 128,
   ...       'system_key_file' : 'tde.key' };

Access this table by running the usual commands. For example:

test-superuser@cqlsh> INSERT INTO test.encryption_test (id, val) VALUES ( 1, 'test');
test-superuser@cqlsh> SELECT * FROM test.encryption_test
   ... ;

Sample results

 id | val
----+------
  1 | test

Transparent Data Encryption (TDE) for DSE

Was this helpful?

Give Feedback