Transparent data encryption
Transparent data encryption (TDE) protects at rest data. At rest data is data that has been flushed from the memtable in system memory to the SSTables on disk.
As shown in the diagram, data stored in the commit log is not encrypted. If you need commit log encryption, store the commit log on an OS-level encrypted file system using Gazzang, for example. Data can be encrypted using different algorithms, or you can choose not to encrypt data at all. SSTable data files are immutable (they are not written to again after they have been flushed to disk). SSTables are encrypted only once when they are written to disk.
The CassandraFS (Cassandra file system) is accessed as part of the Hadoop File System (HDFS) using the configured authentication. If you encrypt the CassandraFS keyspace's sblocks and inode tables, all CassandraFS data gets encrypted.
Limitations and recommendations
Data is not directly protected by TDE when accessed using the following utilities.
|Utility||Reason Utility Is Not Encrypted|
|json2sstable||Operates directly on the sstables.|
|nodetool||Uses only JMX, so data is not accessed.|
|sstable2json||Operates directly on the sstables.|
|sstablekeys||Operates directly on the sstables.|
|sstableloader||Operates directly on the sstables.|
|sstablescrub||Operates directly on the sstables.|
The local file system could be protected through a third party whole-disk encryption solution. You choose ssl, kerberos authentication, encrypted file system, or other ways to secure nodes.
DataStax recommends that you do not export local file systems if possible. If you must export a local file system, ensure that mounting the file system on the node is a server-side capability.
Compression and encryption introduce performance overhead.
TDE requires a secure local file system to be effective. The encryption certificates are stored locally; therefore, an invasion of the local file system invalidates encryption.
To get the full capabilities of TDE, download and install the Java Cryptography Extension (JCE), unzip the jar files and place them under $JAVA_HOME/jre/lib/security. JCE-based products are restricted for export to certain countries by the U.S. Export Administration Regulations.
The high-level procedure for encrypting data is:
- Back up SSTables.
- Set permissions so that only the user/group running DataStax Enterprise can change the keytab file. If JNA is installed, JNA takes care of setting these permissions.
- Ensure that the user encrypting data has been granted ALTER permission on the table containing the data to be encrypted. You can use LIST PERMISSIONS to view the permissions granted to a user.
- Specify encryption options when you create a table or alter an existing table.
- Rewrite all SSTables using nodetool scrub or use nodetool flush to flush to disk all new data using the current settings for encryption.