question

ttakaoka_188595 avatar image
ttakaoka_188595 asked smadhavan commented

Why does TDE not encrypt cell values?

Hi, expert

I want to encrypt table data, but cannot encrypt .

cqlsh:killr_video> CREATE TABLE encryption_test (d int PRIMARY KEY,passwod text) WITH COMPRESSION = {
  
... 'class': 'EncryptingLZ4Compressor',
... 'cipher_algorithm' : 'DESede/CBC/PKCS5Padding',
... 'secret_key_strength' : 112,
... 'system_key_file' : 'system_key' };
cqlsh:killr_video> INSERT INTO encryption_test(d,passwod) values(1,'aaa');
cqlsh:killr_video> select * from encryption_test ;

 d | passwod
---+---------
 1 | aaa

ー>I was expecting passwod to be encrypted, but it is not.

How can I encrypt table data ?

Am I wrong in my understanding of table encryption that can be achieved with Datastax?

encryption
1 comment
10 |1000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

@ttakaoka_188595 what version of DSE are you running here?

0 Likes 0 ·
starlord avatar image
starlord answered ttakaoka_188595 commented

Hi ttakaoka_188595,

Previous to creating the table, did you set up and configure an encryption key and copy it to all the nodes in the cluster?

2 comments Share
10 |1000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

You should also be aware that if you configured things properly, you should still be able to decrypt and read the table on the local node.

If you wanted to see that encryption was working, try creating a new key and swapping it for the original (keeping the same name) and restarting DSE, then when reading you'd notice a ReadFailure.

sstabledump would also fail with a message reporting corruption as well as:

Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.


In order to read the table, you'd have to have the key for decrypting properly configured. Hopefully that helps, but let us know.

0 Likes 0 ·

Hi, expert

Thanks for your advices.

I am verifying your advice with Cassandra. Please wait a little while for the results.

0 Likes 0 ·
steve.lacerda avatar image
steve.lacerda answered

Hi, @starlord is correct! You're probably missing some steps prior to the table creation:

1) Create an encryption key

2) Set the system_key_directory in dse.yaml

3) Create the table with encryption enabled

The directions can be found here for version 5.1:
https://docs.datastax.com/en/security/5.1/security/secEncryptTableLocal.html#Creatingatablewithencryptionandcompression

If you're using plain Cassandra, then you'll need a separate tool to encrypt data at rest:

https://dba.stackexchange.com/questions/6909/cassandra-encryption-at-rest

Share
10 |1000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Erick Ramirez avatar image
Erick Ramirez answered

The Transparent Data Encryption (TDE) feature in DataStax Enterprise provides the following functionality:

  • encrypt configuration file properties
  • encrypt system resources such as hint files and commit logs
  • encrypt SSTables and indexes

It's primary use is to encrypt data-at-rest meaning the SSTables themselves are encrypted at the filesystem level so their contents cannot be accessed without the encryption keys.

TDE does not provide functionality to encrypt individual cell values. If you want to protect stored data such as user passwords, you will need to implement logic in your application to encrypt it then store the encrypted value in the database. Obviously your app will also need to decrypt the cell value after you retrieve it from the database. Cheers!

Share
10 |1000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.