Configuring encryption using local encryption keys

To encrypt data using encryption keys that are stored locally, use the dse command to create a system key for encryption.

To encrypt data using encryption keys that are stored locally, use the dse command to create a system key for encryption. Next, copy the system key to the other nodes in the cluster. The entire cluster uses the system key to decrypt SSTables for operations such as repair. You also use the system key during upgrading and restoring SSTables that might have been corrupted.

Procedure

  1. Back up SSTables.
  2. Set the system_key_directory.
    • On a packaged installation, accept the default system_key_directory /etc/dse/conf. Go to the next step to set permissions on the directory.
    • On a tarball installation, optionally change the directory on each node in the cluster from /etc/dse/conf to another directory, or skip this step and adjust permissions as described in the next step. You must configure the path to the system key to relocate the key to a directory that you have permission to access.
      • Navigate to install-directory/resources/dse/conf.
      • Open the dse.yaml file for editing.
      • Change the path of the system_key_directory to the path of a directory that you have permission to access.
    The location of the dse.yaml file depends on the type of installation:
    Installer-Services /etc/dse/dse.yaml
    Package installations /etc/dse/dse.yaml
    Installer-No Services install_location/resources/dse/conf/dse.yaml
    Tarball installations install_location/resources/dse/conf/dse.yaml
  3. Set permissions on the system_key_directory to give rights to change the keytab file only to the user/group running DataStax Enterprise. JNA takes care of setting these permissions.
  4. Ensure that the user who encrypts data has been granted ALTER permission on the table that contains the data to be encrypted. You can use LIST PERMISSIONS to view the permissions that are granted to a user.
  5. Create a system key using the dsetool createsystemkey command.
    For example:
    $ dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 system_key
  6. Restart the cluster.
  7. Copy the created key to the system_key_directory on each node in the cluster.
  8. Set encryption options as you create a table or alter an existing table.

    Tables are encrypted when Cassandra stores the tables on disk as SSTables.

  9. Rewrite all SSTables using nodetool upgradesstables --include-all-sstables to immediately store the tables on disk.
  10. After encrypted SSTables are flushed to disk, you can verify that the dse_system keyspace and encrypted_keys table exist: 
    cqlsh:mykeyspace> DESCRIBE KEYSPACES;

system  dse_system  mykeyspace  system_traces

    On all nodes, the system key appears when selected from the dse_system.encrypted_keys table:

    cqlsh:mykeyspace> SELECT * FROM dse_system.encrypted_keys;
 
key_file   | cipher | strength | key_id        | key
-----------+--------+----------+---------------+-----------
system_key |    AES |      128 | 2e4ea4a0-... | uyBEGhX...