Encrypting sensitive property values

Encrypting sensitive properties in the dse.yaml and cassandra.yaml configuration files.

DataStax recommends encrypting sensitive properties in the dse.yaml and cassandra.yaml on-disk configuration files.

The location of the dse.yaml file depends on the type of installation:
Installer-Services /etc/dse/dse.yaml
Package installations /etc/dse/dse.yaml
Installer-No Services install_location/resources/dse/conf/dse.yaml
Tarball installations install_location/resources/dse/conf/dse.yaml
The location of the cassandra.yaml file depends on the type of installation:
Package installations /etc/dse/cassandra/cassandra.yaml
Tarball installations install_location/resources/cassandra/conf/cassandra.yaml

Procedure

  1. In dse.yaml, verify that the config_encryption_active property is false.
    config_encryption_active: false
  2. In the dse.yaml file, define where the system keys are stored on disk. Verify or set the system_key_directory property. The default value is /etc/dse/conf.
  3. Generate a system key.
    On-server:
    dsetool createsystemkey cipher strength system_key_file
    Off-server
    dsetool createsystemkey cipher strength system_key_file -kmip=kmip_groupname
    For example:
    dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 system_key_file1
    where: See Encryption/compression options and sub-options
    You can create a global encryption key in the location that is specified by system_key_directory in the dse.yaml file. This default global encryption key is used when the system_key_file subproperty is not specified.
  4. Copy the returned value of the dsetool createsystemkey command into the system key file.
  5. In the dse.yaml file, enter the file name of the system key file in the config_encryption_key_name property. For example, system_key_file1:
    If you're using local keys, specify the local file:
    config_encryption_key_name: system_key_file1
    If you're using KMIP to store external keys, specify the KMIP service:
    config_encryption_key_name: kmip://kmip_groupname/system_key_file
    Note: Set the KMIP group name that matches a group configured in dse.yaml.
  6. Use the dsetool encryptconfigvalue command for each property that you want to encrypt. This command takes no arguments and prompts for the value to encrypt.
    One at a time, enter the encrypted value that is output for each property into the dse.yaml or cassandra.yaml configuration file. Ensure that each property is encrypted or commented out.
    dse.yaml
    • ldap_options.search_password
    • ldap_options.truststore_password
    cassandra.yaml
    • server_encryption_options.keystore_password
    • server_encryption_options.truststore_password
    • client_encryption_options.keystore_password
    • client_encryption_options.keystore_password
    • ldap_options.truststore_password
  7. In dse.yaml, set the config_encryption_active property to true:
    config_encryption_active: true
    When the config_encryption_active property is true, the configuration values must be encrypted or commented out.
  8. Start dse.