[ https://issues.apache.org/jira/browse/CASSANDRA-9633?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15115270#comment-15115270 ]
Jason Brown commented on CASSANDRA-9633: ---------------------------------------- Pushed a first-pass implementation [here|https://github.com/apache/cassandra/compare/trunk...jasobrown:9633] This submission does piggy back off the {{ICompressor}} interface, and plugs in reasonably well. Due to the stateful nature of {{EncryptingCompressor}} (see [the note|https://github.com/jasobrown/cassandra/blob/9633/src/java/org/apache/cassandra/io/compress/EncryptingCompressor.java#L47] at the top of the class file), it needs a unqiue copy of the compressor when creating new SSTables; hence the reason for {{CompressionParams.copyWithFreshCompressor()}}. I'm open to sugesstions on improving this. Through testing this, I uncovered some inefficiencies with {{CipherFactory}} (added with CASSANDRA-9945), so I refactored it a bit to cache instances of {{KeyProvider}}. Encrypted commit logs (CASSANDRA-6018) and hints (CASSANDRA-11040) are not really affected by this refactor. One oddity, though, will be for users when they do want to encrypt a table; they will have to set the compression options on the table - which doesn't map, in an obvious manner, to encryption. I'm wide open to suggestions on how to improve the "UI" for this; however, I'd be a bit reticent to create a parallel set of of classes similar to what we have for compression, as I suspect encryption won't be as widely employed as compression (and I'm not sure the extra infrastructure is worth it). > Add ability to encrypt sstables > ------------------------------- > > Key: CASSANDRA-9633 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9633 > Project: Cassandra > Issue Type: New Feature > Reporter: Jason Brown > Assignee: Jason Brown > Labels: encryption, security, sstable > Fix For: 3.x > > > Add option to allow encrypting of sstables. > I have a version of this functionality built on cassandra 2.0 that > piggy-backs on the existing sstable compression functionality and ICompressor > interface (similar in nature to what DataStax Enterprise does). However, if > we're adding the feature to the main OSS product, I'm not sure if we want to > use the pluggable compression framework or if it's worth investigating a > different path. I think there's a lot of upside in reusing the sstable > compression scheme, but perhaps add a new component in cqlsh for table > encryption and a corresponding field in CFMD. > Encryption configuration in the yaml can use the same mechanism as > CASSANDRA-6018 (which is currently pending internal review). -- This message was sent by Atlassian JIRA (v6.3.4#6332)