Search code examples
encryptioncassandradatastax-enterprisetde

How to read from encrypted CDC in Cassandra

We have implemented TDE for all our tables in Cassandra DSE. We generated a system key using AES/ECB/PKCS5Padding / 128 as cipher algorithm.

We have also enabled cdc for few tables that require cdc capture. Since TDE is enabled for the tables, cdc logs are also encrypted.

We need to push the cdc captures to kafka topics. We tried to decrypt the file using the system_key auto generated in the system_key file.

AES/ECB/PKCS5Padding:128:(key)

But we are getting java.security.InvalidKeyException: Illegal key size or default parameters

Can please advise if this is key can be used for decrypting the cdc logs or suggest any solution.

Below is the snippet we used for decrypting.

public class EncryptDecrypt {

public static String encrypt(String input, String key) {
    byte[] crypted = null;
    try {

        SecretKeySpec skey = new SecretKeySpec(key.getBytes(), "AES");

        Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
        cipher.init(Cipher.ENCRYPT_MODE, skey);
        crypted = cipher.doFinal(input.getBytes());
    } catch (Exception e) {
        System.out.println(e.toString());
    }
    java.util.Base64.Encoder encoder = java.util.Base64.getEncoder();

    return new String(encoder.encodeToString(crypted));
}

public static String decrypt(String input, String key) {
    byte[] output = null;
    try {
        java.util.Base64.Decoder decoder = java.util.Base64.getDecoder();
        SecretKeySpec skey = new SecretKeySpec(key.getBytes(), "AES");          
        Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
        cipher.init(Cipher.DECRYPT_MODE, skey);
        output = cipher.doFinal(decoder.decode(input));
    } catch (Exception e) {
        System.out.println(e.toString());
    }
    return new String(output);
}

/**
 * @param args
 */
public static void main(String[] args) {
    // TODO Auto-generated method stub

    String key = "qhk9gDtvTUlLW9dnh/UMaw==";
    String data = "ABC";

    System.out.println(EncryptDecrypt.encrypt(data, key));
    System.out.println(EncryptDecrypt.decrypt(EncryptDecrypt.encrypt(data, key), key));
}
}
Solution

  • The system_key file isn't used for direct encryption of the data, but for encryption of the actual encryption key that is stored in the dse_system.encrypted_keys. These keys are generated for every combination of algorithm/strength. See documentation for more details.