To encrypt data using encryption keys that are stored locally, use the dse command to
create a system key for encryption.
To encrypt data using encryption keys that are stored locally, use the dse command to
create a system key for encryption. Next, copy the system key to the other nodes in
the cluster. The entire cluster uses the system key to decrypt SSTables for
operations such as repair. You also use the system key during upgrading and
restoring SSTables that might have been corrupted.
Procedure
-
Back up SSTables.
-
Set the system_key_directory.
- On a packaged installation, accept the default system_key_directory
/etc/dse/conf. Go to the next step to set
permissions on the directory.
- On a tarball installation, optionally change the directory on each node
in the cluster from /etc/dse/conf to another directory,
or skip this step and adjust permissions as described in the next step. You
must configure the path to the system key to relocate the key to a directory
that you have permission to access.
- Navigate to
install-directory/resources/dse/conf.
- Open the file for
editing.
- Change the path of the system_key_directory to the path of a
directory that you have permission to access.
The location of the
dse.yaml file depends on the
type of installation:
Installer-Services |
/etc/dse/dse.yaml |
Package installations |
/etc/dse/dse.yaml |
Installer-No Services |
install_location/resources/dse/conf/dse.yaml |
Tarball installations |
install_location/resources/dse/conf/dse.yaml |
-
Set permissions on the system_key_directory to give rights to change the keytab
file only to the user/group running DataStax Enterprise. JNA takes care of
setting these permissions.
-
Ensure that the user who encrypts data has been granted ALTER permission on the table that contains
the data to be encrypted. You can use LIST PERMISSIONS to view the permissions that are
granted to a user.
-
Create a system key using the
dsetool createsystemkey
command.
For
example:
$ dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 system_key
-
Restart the cluster.
-
Copy the created key to the system_key_directory on each node in the
cluster.
-
Set encryption options when you create a
table or alter an existing table.
Tables are encrypted when Cassandra stores the tables on disk as
SSTables.
-
Rewrite all SSTables using nodetool upgradesstables
--include-all-sstables to immediately store the tables on disk.
-
After encrypted SSTables are flushed to disk, you can verify that the
dse_system keyspace and encrypted_keys table exist:
cqlsh:mykeyspace> DESCRIBE KEYSPACES;
system dse_system mykeyspace system_traces
On all nodes, the system key appears when selected from the
dse_system.encrypted_keys table:
cqlsh:mykeyspace> SELECT * FROM dse_system.encrypted_keys;
key_file | cipher | strength | key_id | key
-----------+--------+----------+---------------+-----------
system_key | AES | 128 | 2e4ea4a0-... | uyBEGhX...