Migrating encrypted tables

Steps to migrate encrypted tables from earlier versions.

To migrate encrypted tables from earlier versions to DataStax Enterprise 4.5.2, first back up keys that hold encryption information, next upgrade the cluster to DataStax Enterprise 4.6, restore the backed up keys, and finally re-encrypt and rewrite the tables.

Procedure for upgrading encrypted tables 

  1. Back up the entire keyspace that has a dse_system.encrypted_keys table.
  2. Back up all system keys.
  3. Upgrade the cluster to DataStax Enterprise 4.6, following instructions in the "DataStax Upgrade Guide."
  4. Restart the cluster as described in the Upgrade Guide.
  5. Check that the dse_system.encrypted_keys table was created using the cqlsh DESCRIBE KEYSPACES command.
  6. If the dse_system.encrypted_keys table was created, go to the next step; otherwise, create the table manually.
    CREATE KEYSPACE dse_system WITH replication = {'class': 'EverywhereStrategy'};
    
    USE dse_system;
    
    CREATE TABLE encrypted_keys (
      key_file text,
      cipher text,
      strength int,
      key_id timeuuid,
      key text,
      PRIMARY KEY (key_file, cipher, strength, key_id)
    );
  7. Rewrite all SSTables.
    $ nodetool upgradesstables --include-all-sstables

If you need to restore the dse_system.encrypted_keys table, load the table. Do not truncate or delete anything.