[ https://issues.apache.org/jira/browse/CASSANDRA-9633?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17250665#comment-17250665 ]
shylaja kokoori commented on CASSANDRA-9633: -------------------------------------------- Hi All, I have ported Jason Brown's implementation to 4.0. Few related questions, 1) In cassandra.yaml file, for transparent_data_encryption_options, +keystore_password+ and +key_password+ are provided in plain text. Can we rely on Linux file system permission to protect the information? 2) During a read, when data is transferred between a node containing the data and the coordinator node, can we rely on encryption over wire to provide confidentiality? 3) I am not too familiar with streaming. When zero copy streaming is enabled and SSTables are transferred in its entirety, can I assume both the nodes have same keys or should key exchange happen? 4) Our security expert says, no more than 2^56 16 byte blocks (~1 EB) should be encrypted with a single key. Depending on the amount of writes that happen, that is probably several years of data encryption. Should that be a concern? > Add ability to encrypt sstables > ------------------------------- > > Key: CASSANDRA-9633 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9633 > Project: Cassandra > Issue Type: New Feature > Components: Legacy/Core > Reporter: Jason Brown > Assignee: shylaja kokoori > Priority: Normal > Labels: encryption, security, sstable > Fix For: 4.x > > > Add option to allow encrypting of sstables. > I have a version of this functionality built on cassandra 2.0 that > piggy-backs on the existing sstable compression functionality and ICompressor > interface (similar in nature to what DataStax Enterprise does). However, if > we're adding the feature to the main OSS product, I'm not sure if we want to > use the pluggable compression framework or if it's worth investigating a > different path. I think there's a lot of upside in reusing the sstable > compression scheme, but perhaps add a new component in cqlsh for table > encryption and a corresponding field in CFMD. > Encryption configuration in the yaml can use the same mechanism as > CASSANDRA-6018 (which is currently pending internal review). -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org