Encrypting data

Data encryption uses a system key in the dse_system.encrypted_keys table.

To encrypt data, you use the dse command for creating a system key for encryption. DataStax Enterprise inserts the system key into the dse_system.encrypted_keys table. Next, you copy the system key to the other nodes in the cluster. The entire cluster uses the system key to decrypt SSTables for operations such as repair. You also use the system key during upgrading and restoring SSTables that might have been corrupted for some reason. On tarball installations only, you need to configure the path to the system key to relocate the key in a directory that you have permission to access. Configuration of the path is not necessary on packaged installations.

  1. Back up SSTables.
  2. On a packaged installation, accept the default system_key_directory /etc/dse/conf. Go to the next step to set permissions on the directory.

    On a tarball installation, optionally change the directory on each node in the cluster from /etc/dse/conf to another directory, or skip this step, and adjust permissions as described in the next step.

    • Navigate to install-directory/resources/dse/conf.
    • Open the dse.yaml file for editing.
    • Change the path of the system_key_directory to the path of a directory that you have permission to access.
  3. Set permissions on the system_key_directory to give rights to change the keytab file only the user/group running DataStax Enterprise. If JNA is installed, JNA takes care of setting these permissions.
  4. Ensure that the user encrypting data has been granted ALTER permission on the table containing the data to be encrypted. You can use LIST PERMISSIONS to view the permissions granted to a user.
  5. Create a system key using the dsetool createsystemkey command. For example:
    $ dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 system_key
  6. Restart the cluster.
  7. Copy the key and paste it to the location specified by the system_key_directory on each node in the cluster.
  8. Set encryption options as you create a table or alter an existing table.

    Tables are encrypted when Cassandra stores the tables on disk as SSTables.

  9. Rewrite all SSTables using nodetool upgradesstables --include-all-sstables to store the tables on disk immediately.
  10. After encrypted SSTables are flushed to disk, you can check that the dse_system keyspace and encrypted_keys table exist.
    cqlsh:mykeyspace> DESCRIBE KEYSPACES;

system  dse_system  mykeyspace  system_traces

    On all nodes, the system key appears when selected from the dse_system.encrypted_keys table:

    cqlsh:mykeyspace> SELECT * FROM dse_system.encrypted_keys;
 
key_file   | cipher | strength | key_id        | key
-----------+--------+----------+---------------+-----------
system_key |    AES |      128 | 2e4ea4a0-... | uyBEGhX...