Encrypting data
Data encryption uses a system key in the dse_system.encrypted_keys table.
The procedure for encrypting data changed in DataStax Enterprise 4.0.4. First, you use a new dsetool command to create a system key. The system key is used to encrypt all data in the dse_system.encrypted_keys table. Next, copy the system key you created to all nodes in the cluster. The individual encryption keys for each table are stored in the dse_system.encrypted_keys table, encrypted using the system key. The location of the system key is configured in the dse.yaml. The default location should be fine for a package install, but for a tarball installation you need to configure the path to a directory that you have permission to access.
Encrypting data in DataStax Enterprise 4.0.4 and later
- Back up SSTables.
- On a packaged installation, accept the default system_key_directory
/etc/dse/conf. Go to the next step to set permissions on the
directory.
On a tarball installation, optionally change the directory on each node in the cluster from /etc/dse/conf to another directory, or skip this step, and adjust permissions as described in the next step.
- Navigate to install-directory/resources/dse/conf.
- Open the dse.yaml file for editing.
- Change the path of the system_key_directory to the path of a directory that you have permission to access.
- Set permissions on the system_key_directory to give rights to change the keytab file only to the user/group running DataStax Enterprise. If JNA is installed, and the permissions are too open, DataStax Enterprise makes the change automatically.
- Create a system key using the dsetool createsystemkey command. For
example:
$ dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 system_key
- Copy the key and paste it to the location specified by the system_key_directory on each node in the cluster.
- Perform a rolling restart on the cluster.
- Check that the dse_system keyspace and encrypted_keys table now
exist.
cqlsh:mykeyspace> DESCRIBE KEYSPACES; system dse_system mykeyspace system_traces cqlsh:mykeyspace> USE dse_system; cqlsh:dse_system> DESCRIBE TABLES dse_system; encrypted_keys
- Set encryption options as you create a table or
alter an existing table.
Tables are encrypted when Cassandra stores the tables on disk as SSTables.
- Rewrite all SSTables using the specified encryption by running nodetool upgradesstables --include-all-sstables.
Encrypting data in DataStax Enterprise 4.0 - 4.0.3
- Back up SSTables.
- Set permissions so that only the user/group running DataStax Enterprise can change the keytab file. If JNA is installed, JNA takes care of setting these permissions.
- Ensure that the user encrypting data has been granted ALTER permission on the table containing the data to be encrypted.
- Set encryption options as you create a table or alter an existing table.
- Rewrite all SSTables using nodetool upgradesstables --include-all-sstables.