Steps to configure DataStax Enterprise encryption for in-flight data and at-rest
data.
DataStax Enterprise supports encryption for in-flight data and at-rest data using a
system key.
System key overview
Encrypt data in tables using a
system key.
- You can create any number of system keys using the dsetool createsystemkey command.
- All of the system keys must be consistent cluster-wide at the location set by
the system_key_directory property
in dse.yaml.
- The system keys must have read write permissions for the user.
- Different tables can use different system keys.
- To use a specific system key for any table, specify the
'system_key_file':'system_key_filename'
subproperty in the CREATE TABLE or ALTER TABLE statement.
- A default global system key for the DataStax Enterprise cluster is used when the
'system_key_file':'system_key_filename'
subproperty is not specified.
- The global system key is an encryption key that you create in the
location that is specified for the system_key_directory property in the
dse.yaml file.
- You can use any name for the global key file. With the
dsetool
createsystemkey
command, use the [file]
option to specify a key name. For example: dsetool
createsystemkey file globalsystemkey ....
creates a system
key named globalsystemkey. If you do not specify
the key name, the default key name is system_key. The default key name
is not configurable.
The default global system key file is inserted in the
dse_system.encrypted_keys table that is used across the cluster.
Procedure
-
Create a global encryption key, called a system key, using the dsetool createsystemkey
command:
For example, to create a system key named system_key with
AES/ECB/PKCS5Padding cipher algorithm, 128 key
strength:
sudo dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 system_key
where
you can specify these options:
- createsystemkey
cipher_algorithm[/mode/padding]
secret_key_strength [file]
[-k=kmip_groupname [-t kmip_template] [-n
namespace]]
- Creates a global encryption key, called a system key, for SSTable encryption using the
following options:
See Encryption/compression options and algorithm
sub-options and Encrypting sensitive property
values.
-
Store the encryption certificates locally or on a KMIP key server:
Ensure the system keys have read write permissions for the user.
-
Configure encryption for system tables. The Cassandra commit log is encrypted
when system encryption is enabled.
Configure system table encryption to encrypt system
tables that contain sensitive information, including the Cassandra
commit log. Edit the file
in a text editor and set these
options:
system_info_encryption:
enabled: true
cipher_algorithm: AES
secret_key_strength: 128
chunk_length_kb: 64
-
To ensure support for all encryption algorithms, install JCE.
-
Encrypt data with one or all of these steps: