Encrypting sensitive property values

Steps to encrypt sensitive properties in the dse.yaml and cassandra.yaml configuration files.

DataStax recommends encrypting sensitive properties in the dse.yaml and cassandra.yaml on-disk configuration files.

The location of the dse.yaml file depends on the type of installation:
Installer-Services /etc/dse/dse.yaml
Package installations /etc/dse/dse.yaml
Installer-No Services install_location/resources/dse/conf/dse.yaml
Tarball installations install_location/resources/dse/conf/dse.yaml
The location of the cassandra.yaml file depends on the type of installation:
Package installations /etc/dse/cassandra/cassandra.yaml
Tarball installations install_location/resources/cassandra/conf/cassandra.yaml

Procedure

  1. In dse.yaml, verify that the config_encryption_active property is false. 
    config_encryption_active: false
  2. In the dse.yaml file, define where the system keys are stored on disk. Verify or set the system_key_directory property. The default value is /etc/dse/conf.
  3. Generate a system key.
    On-server: 
    $ dsetool createsystemkey cipher strength system_key_file
    Off-server 
    $ dsetool createsystemkey cipher strength system_key_file -kmip=kmip_groupname
    For example:
    $ dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 system_key_file
    where:
    • system_key_file is a file with a unique file name
    • cipher is a valid cipher_algorithm
    • strength is the secret key strength
    See Encryption/compression options and sub-options
    You can create a global encryption key in the location that is specified by system_key_directory in the dse.yaml file. This default global encryption key is used when the system_key_file subproperty is not specified.
  4. Copy the returned value of the dsetool createsystemkey command.
  5. In the dse.yaml file, paste the value that was returned to set the config_encryption_key_name property: 
    config_encryption_key_name: Sa9xOVaym7bddjXUT/eeOQ==
  6. Use the dsetool encryptconfigvalue command for each property that you want to encrypt. This command takes no arguments and prompts for the value to encrypt.
    One at a time, enter the encrypted value that is output for each property into the dse.yaml or cassandra.yaml configuration file. Ensure that each property is encrypted or commented out.
    dse.yaml
    • ldap_options.search_password
    • ldap_options.truststore_password
    cassandra.yaml
    • server_encryption_options.keystore_password
    • server_encryption_options.truststore_password
    • client_encryption_options.keystore_password
    • client_encryption_options.keystore_password
    • ldap_options.truststore_password
  7. In dse.yaml, set the config_encryption_active property to true: 
    config_encryption_active: true
    When the config_encryption_active property is true, the configuration values must be encrypted or commented out.
  8. Start dse.