Covers Encryption In Transit which is: Client to Node, Node to Node, and an overview of Encryption At Rest which includes data stored in Tables, System, and Providers.
Moving to the next security feature, again disabled by default in ScyllaDB
encryption, we have two types of encryption in ScyllaDB, one encryption is the
encryption on transit, encryption on transit protect your data either between
the client in the database or between the nodes of the database, encryption at
rest is encrypted data on storage so encryption and I will touch each of them
separately, one thing to remember encryption at transit and all the
features that I cover so far are available on ScyllaDB Open Source
encryption at rest only available on. ScyllaDB Enterprise, okay that’s the only
feature that is Enterprise only that I covered so far, so encryption at
transit, so first what are we protecting from and that’s related to
the bingo that you might have, so if you’re not using encryption a transit
someone might snoop into the wire and basically capture either the
with Wireshark even or this kind of tool, capture the packet that you are sending
from your application to the database and this information of course might be
sensitive if your database is holding user information then you must send this
user information across the wire and someone might pick it up, even worse
someone might execute the man in the middle attack and pretend to be the
database or pretend to be the user and exchange messages, and encryption in transit
tries to prevent that, it’s very similar for those who are familiar with the way that
the browser encrypted data between the browser and the web server, which HTTPS
similar phase happen here you should enable it again, it’s disabled by default
I already mentioned it like six times so I have four more time to mention it but
you should enable it manually both on the driver and on the database and the
driver of course is compatible with. Cassandra so it’s the same driver
that you would use the Apache Cassandra encryption you can use with ScyllaDB
very similar encryption between the nodes since ScyllaDB is a distributed database
everything that you send to one node is usually replicated to other nodes and
that includes sensitive user information, the format will be slightly
different but the principle is the same, it may include sensitive
information you can define encryption at transit either between all the nodes or
just between datacenter origin or just between racks, in some cases it makes
sense because inside the region all the. IPs are private and it’s less exposed
maybe between datacenter you have to send it across between regions or over
the public Internet and it’s more sensitive there and you might want
to encrypt just that and I can already guess that some people will ask me after
what is the performance state of encryption both on the wire and on
rest and I can tell you it’s minimal so it’s between, for encryption
it’s five percent, encryption and the wire even less than that so if
you are worried about enable encryption all over the place because of
performance usually it’s not a valid
worry, let me put it this way, of course you should check it but it’s not as bad
so we cover encryption at transit you enable it through a PEM file and such
I’m not going to go into the detail it’s well documented and most of you
probably are familiar with it from other platforms