Encrypting data

Data encryption uses a system key in the dse_system.encrypted_keys table.

Data encryption uses a system key in the dse_system.encrypted_keys table. The system key must exist on all nodes in the cluster. Tables are encrypted when Cassandra stores the tables on disk as SSTables. The entire cluster uses the system key to decrypt SSTables for operations such as repair. You also use the system key during upgrading and restoring SSTables that might have been corrupted.

The default system_key_directory /etc/dse/conf is specified in the file:

system_key_directory: /etc/dse/conf

On tarball installations, you can change the location of the system_key_directory:

Navigate to install-directory/resources/dse/conf.
Open the dse.yaml file for editing.
Change the path of the system_key_directory to the path of a directory that you have permission to access.

The location of the dse.yaml file depends on the type of installation:

Installer-Services	/etc/dse/dse.yaml
Package installations	/etc/dse/dse.yaml
Installer-No Services	`install_location`/resources/dse/conf/dse.yaml
Tarball installations	`install_location`/resources/dse/conf/dse.yaml

Procedure

Back up SSTables.

Define the location of the system key directory.

Option	Description
Packaged installations	Accept the default system_key_directory /etc/dse/conf.
Tarball installations	Configure the path to the system key to relocate the key to a directory that you have permission to access. Accept the default system_key_directory /etc/dse/conf or optionally change the directory on each node in the cluster.

Set permissions on the system_key_directory to give rights for changing the keytab file only to the user or group that is running DataStax Enterprise. JNA takes care of setting these permissions.
Ensure that the user that encrypts data has been granted ALTER permission on the table that contains the data to be encrypted. You can use LIST PERMISSIONS to view the permissions granted to a user.
Create a system key using the dsetool createsystemkey command.
For example:
```
$ dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 system_key
```
The system key is generated at /etc/dse/conf/system_key.
Restart the cluster.
Copy the key and paste it to the location that is specified by the system_key_directory on each node in the cluster.
Set encryption options as you create a table or alter an existing table.
To store the tables on disk immediately, rewrite all SSTables using nodetool upgradesstables --include-all-sstables.

After encrypted SSTables are flushed to disk, ensure that the dse_system keyspace and encrypted_keys table exist:

cqlsh:mykeyspace> DESCRIBE KEYSPACES;

system  dse_system  mykeyspace  system_traces

On all nodes, the system key appears when it is selected from the dse_system.encrypted_keys table:

cqlsh:mykeyspace> SELECT * FROM dse_system.encrypted_keys;
 
key_file   | cipher | strength | key_id        | key
-----------+--------+----------+---------------+-----------
system_key |    AES |      128 | 2e4ea4a0-...  | uyBEGhX...