Encrypting tables
Configure table encryption using a local encryption key on a per table basis.
Configure Transparent Data Encryption (TDE) to protect all data in a table, except for the primary key columns. Different tables can use different keys.
- Local encryption key: Encrypts/decrypts internal table encryption key values.
- Table encryption
key: DSE creates a single key entry in the
dse_system.encrypted_keys
table for each cipher algorithm, key strength, and local encryption key combination that is defined for table encryption.Note: Tables with the same encryption settings use the same encryption key.
Data is encrypted when written to SSTables on disk. Applications can read and write to SSTables that use different encryption algorithms or no encryption at all.
Creating a table with encryption and compression
After setting up local encryption keys, you can create tables with encryption and compression enabled.
DataStax recommends creating tables with both encryption and compression enabled,
using EncryptingLZ4Compressor
as the encryption class.
Prerequisites
Procedure
-
Change to the keyspace where you want to create the table. The following
examples use
test
as the keyspace name:cqlsh
USE test;
-
Create the table with encryption and compression.
The following example encrypts a table named
encryption_test
using theDESede
algorithm, with a key length of112
. Data is compressed using theEncryptingLZ4Compressor
compressor.Note: A local encryption key called system_key must exist in the directory specified by . This file was created when Setting up local encryption keys.If the DSE account does not have read/write permission or the file is missing, an error message Failed to initialize Encryptor displays.
CREATE TABLE test.encryption_test (d int PRIMARY KEY) WITH COMPRESSION = { 'class': 'EncryptingLZ4Compressor', 'cipher_algorithm' : 'DESede/CBC/PKCS5Padding', 'secret_key_strength' : 112, 'system_key_file' : 'system_key' };
See Table encryption options and syntax for more information.
-
To change the encryption settings, use the
ALTER TABLE
command and specify the settings to modify.The following command changes the encryption key used to encrypt the table data, and modifies the key strength.
ALTER TABLE test.encryption_test WITH COMPRESSION = { 'class': 'EncryptingLZ4Compressor', 'cipher_algorithm' : 'AES/ECB/PKCS5Padding', 'secret_key_strength' : 128, 'system_key_file' : 'system_key' };
-
If you changed encryption settings, run the following command on all nodes in
the cluster to rewrite the SSTables using the new encryption key:
nodetool upgradesstables -a test encryption_test
Table encryption options and syntax
View table encryption options and descriptions for each parameter.
dse_system.encrypted_keys
table. If no keys
match the cipher_algorithm
, secret_key_strength
, and
system_key_file
settings, a new key is created and added to the table.
chunk_length_in_kb
, are also available.Syntax
COMPRESSION = {
'class' : 'encryption_class'[,
'cipher_algorithm' : 'cipher_algorithm_type'] [,
'secret_key_strength' : length] [,
'system_key_file': 'key_filename'] };
Options
encryption_class
- Specifies the encryption type. Use one of the class names from the following table.
(Required)
Name Encrypts Compresses Encryptor [1] Yes No EncryptingLZ4Compressor Yes Yes EncryptingDeflateCompressor Yes Yes EncryptingSnappyCompressor Yes Yes [1] When using the Encryptor class, specify a larger young generation heap (the -Xmn parameter) to improve garbage collection (GC). For example, set the size to: -Xmn1600M
when running cassandra-stress. cipher_algorithm_type
- Sets the type of encryption key. DSE supports the following JCE algorithms and
corresponding
length
. length
- Specifies the length of the encryption key.
Default:
128
. (Optional) key_filename
- Specifies the file name of the local encryption key used to encrypt the table key. Local
keys are specified in .
Default:
system_key
. (Optional)