[jira] [Commented] (CASSANDRA-9633) Add ability to encrypt sstables

Thu, 17 Nov 2016 14:32:13 -0800 

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-9633?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15674998#comment-15674998
 ] 

Jason Brown commented on CASSANDRA-9633:
----------------------------------------

bq. There appears to be a bit of a stall on this ticket

Yeah, I've been pulled in a couple of different directions lately. TBH, the 
work here is about 85-90% done, last I remember. I was just testing out a great 
many things.

Adding compression does make the blob passed into encryption smaller, which is 
why I chose it (also based on previous interactions with security folks). 
Making it an option is certainly reasonable. Supporting compression is already 
easy enough - I've already done it ;).

bq. Supporting cipher modes that don't use IVs allows

I agree with this in general, and for most existing ciphers. However, allowing 
a variable length IV (per algo/key), plus [~bdeggleston]'s comment "The cipher 
should be reinitialized with a fresh iv for each chunk" actually made things a 
lot cleaner, but was a lot of work (which is what I was testing when I got 
diverted).

I'll see if I can scrape together some time in the next week or two to rebase 
and continue this work.

> Add ability to encrypt sstables
> -------------------------------
>
>                 Key: CASSANDRA-9633
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-9633
>             Project: Cassandra
>          Issue Type: New Feature
>            Reporter: Jason Brown
>            Assignee: Jason Brown
>              Labels: encryption, security, sstable
>             Fix For: 3.x
>
>
> Add option to allow encrypting of sstables.
> I have a version of this functionality built on cassandra 2.0 that 
> piggy-backs on the existing sstable compression functionality and ICompressor 
> interface (similar in nature to what DataStax Enterprise does). However, if 
> we're adding the feature to the main OSS product, I'm not sure if we want to 
> use the pluggable compression framework or if it's worth investigating a 
> different path. I think there's a lot of upside in reusing the sstable 
> compression scheme, but perhaps add a new component in cqlsh for table 
> encryption and a corresponding field in CFMD.
> Encryption configuration in the yaml can use the same mechanism as 
> CASSANDRA-6018 (which is currently pending internal review).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to