Encrypting data

Data encryption uses a system key in the dse_system.encrypted_keys table.

The procedure for encrypting data changed in DataStax Enterprise 4.0.4. First, you use a new dsetool command to create a system key. The system key is used to encrypt all data in the dse_system.encrypted_keys table. Next, copy the system key you created to all nodes in the cluster. The individual encryption keys for each table are stored in the dse_system.encrypted_keys table, encrypted using the system key. The location of the system key is configured in the dse.yaml. The default location should be fine for a package install, but for a tarball installation you need to configure the path to a directory that you have permission to access.

Encrypting data in DataStax Enterprise 4.0.4 and later 

  1. Back up SSTables.
  2. On a packaged installation, accept the default system_key_directory /etc/dse/conf. Go to the next step to set permissions on the directory.

    On a tarball installation, optionally change the directory on each node in the cluster from /etc/dse/conf to another directory, or skip this step, and adjust permissions as described in the next step.

    • Navigate to install-directory/resources/dse/conf.
    • Open the dse.yaml file for editing.
    • Change the path of the system_key_directory to the path of a directory that you have permission to access.
  3. Set permissions on the system_key_directory to give rights to change the keytab file only to the user/group running DataStax Enterprise. If JNA is installed, and the permissions are too open, DataStax Enterprise makes the change automatically.
  4. Create a system key using the dsetool createsystemkey command. For example:
    $ dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 system_key
  5. Copy the key and paste it to the location specified by the system_key_directory on each node in the cluster.
  6. Perform a rolling restart on the cluster.
  7. Check that the dse_system keyspace and encrypted_keys table now exist.
    cqlsh:mykeyspace> DESCRIBE KEYSPACES;

system  dse_system  mykeyspace  system_traces

cqlsh:mykeyspace> USE dse_system;

cqlsh:dse_system> DESCRIBE TABLES dse_system;

encrypted_keys
  8. Set encryption options as you create a table or alter an existing table.

    Tables are encrypted when Cassandra stores the tables on disk as SSTables.

  9. Rewrite all SSTables using the specified encryption by running nodetool upgradesstables --include-all-sstables.

Encrypting data in DataStax Enterprise 4.0 - 4.0.3 

  1. Back up SSTables.
  2. Set permissions so that only the user/group running DataStax Enterprise can change the keytab file. If JNA is installed, JNA takes care of setting these permissions.
  3. Ensure that the user encrypting data has been granted ALTER permission on the table containing the data to be encrypted.
  4. Set encryption options as you create a table or alter an existing table.
  5. Rewrite all SSTables using nodetool upgradesstables --include-all-sstables.