Inter-node encryption uses standard TLS/SSL to authenticate and encrypt messages between nodes, to preotect data in transit between nodes, and to prevent unauthorized access to/control of nodes.
Encryption can be applied to all inter-node messages, just messages crossing from one rack to another, or just messages crossing from one datacenter to another.
This page needs fleshing out... skeleton instructions from https://issues.apache.org/jira/browse/CASSANDRA-3051 are:
- follow the steps for generating a keystore and a trust store here: http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore 2. plug those files into
encryption_optionsincassandra.yaml3. make sureencryption_options.internode_encryption = allin the yaml.
See the section at the bottom of conf/cassandra.yaml:
# Enable or disable inter-node encryption
# Default settings are TLS v1, RSA 1024-bit keys (it is imperative that
# users generate their own keys) TLS_RSA_WITH_AES_128_CBC_SHA as the cipher
# suite for authentication, key exchange and encryption of the actual data transfers.
# NOTE: No custom encryption options are enabled at the moment
# The available internode options are : all, none, dc, rack
#
# If set to dc cassandra will encrypt the traffic between the DCs
# If set to rack cassandra will encrypt the traffic between the racks
#
# The passwords used in these options must match the passwords used when generating
# the keystore and truststore. For instructions on generating these files, see:
# http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
encryption_options:
internode_encryption: none
keystore: conf/.keystore
keystore_password: cassandra
truststore: conf/.truststore
truststore_password: cassandra
See also SimpleAuthenticator for details of the authentication of Thrift clients (rather than between nodes).