Inter-node encryption uses standard TLS/SSL to authenticate and encrypt messages between nodes, to preotect data in transit between nodes, and to prevent unauthorized access to/control of nodes.

Encryption can be applied to all inter-node messages, just messages crossing from one rack to another, or just messages crossing from one datacenter to another.

This page needs fleshing out... skeleton instructions from are:

  1. follow the steps for generating a keystore and a trust store here:

  2. plug those files into encryption_options in cassandra.yaml

  3. make sure encryption_options.internode_encryption = all in the yaml.

See the section at the bottom of conf/cassandra.yaml:

# Enable or disable inter-node encryption
# Default settings are TLS v1, RSA 1024-bit keys (it is imperative that
# users generate their own keys) TLS_RSA_WITH_AES_128_CBC_SHA as the cipher
# suite for authentication, key exchange and encryption of the actual data transfers.
# NOTE: No custom encryption options are enabled at the moment
# The available internode options are : all, none, dc, rack
# If set to dc cassandra will encrypt the traffic between the DCs
# If set to rack cassandra will encrypt the traffic between the racks
# The passwords used in these options must match the passwords used when generating
# the keystore and truststore.  For instructions on generating these files, see:
    internode_encryption: none
    keystore: conf/.keystore
    keystore_password: cassandra
    truststore: conf/.truststore
    truststore_password: cassandra

See also SimpleAuthenticator for details of the authentication of Thrift clients (rather than between nodes).


InternodeEncryption (last edited 2013-11-14 21:47:15 by 107)