Configuring encryption

Steps to configure DataStax Enterprise encryption for in-flight data and at-rest data.

DataStax Enterprise supports encryption for in-flight data and at-rest data using a system key.

System key overview

Encrypt data in tables using a system key.
  • You can create any number of system keys using the dsetool createsystemkey command.
  • All of the system keys must be consistent cluster-wide at the location set by the system_key_directory property in dse.yaml.
  • The system keys must have read write permissions for the user.
  • Different tables can use different system keys.
  • To use a specific system key for any table, specify the 'system_key_file':'system_key_filename' subproperty in the CREATE TABLE or ALTER TABLE statement.
  • A default global system key for the DataStax Enterprise cluster is used when the 'system_key_file':'system_key_filename' subproperty is not specified.
    • The global system key is an encryption key that you create in the location that is specified for the system_key_directory property in the dse.yaml file.
    • You can use any name for the global key file. With the dsetool createsystemkey command, use the [file] option to specify a key name. For example: dsetool createsystemkey file globalsystemkey .... creates a system key named globalsystemkey. If you do not specify the key name, the default key name is system_key. The default key name is not configurable.
    The default global system key file is inserted in the dse_system.encrypted_keys table that is used across the cluster.


  1. Create a global encryption key, called a system key, using the dsetool createsystemkey command:
    For example, to create a system key named system_key with AES/ECB/PKCS5Padding cipher algorithm, 128 key strength:
    sudo dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 system_key
    where you can specify these options:
    createsystemkey cipher_algorithm[/mode/padding] secret_key_strength [file] [-k=kmip_groupname [-t kmip_template] [-n namespace]]
    Creates a global encryption key, called a system key, for SSTable encryption using the following options:
    • cipher_algorithm[/mode/padding] secret_key_strength - When Java Cryptography Extension (JCE) is installed, the cipher_algorithm options and acceptable secret_key_strength values for the algorithms are:
      cipher_algorithm secret_key_strength
      AES/CBC/PKCS5Padding 128, 192, or 256
      AES/ECB/PKCS5Padding 128, 192, or 256
      DES/CBC/PKCS5Padding 56
      DESede/CBC/PKCS5Padding 112 or 168
      Blowfish/CBC/PKCS5Padding 32-448
      RC2/CBC/PKCS5Padding 40-128

      Key strength is not required for HMAC algorithms.

    • file - Specify the name of the system key file to create. If no name is specified, the default system key file name is system_key. The default system key file name is not configurable.
    • -k=kmip_groupname - Use the KMIP connection information to create a remote system key for the KMIP key server group that is defined in the kmip_hosts section in the dse.yaml file. The following options are available only for the specified KMIP key server group:
      • -t kmip_template - Uses the specified KMIP server key template.
      • -n namespace - Specifies the namespace to create the system key with.
    See Encryption/compression options and algorithm sub-options and Encrypting sensitive property values.
  2. Store the encryption certificates locally or on a KMIP key server:
    Ensure the system keys have read write permissions for the user.
  3. Configure encryption for system tables. The Cassandra commit log is encrypted when system encryption is enabled.
    Configure system table encryption to encrypt system tables that contain sensitive information, including the Cassandra commit log. Edit the dse.yaml file in a text editor and set these options:
      enabled: true
      cipher_algorithm: AES
      secret_key_strength: 128
      chunk_length_kb: 64
  4. To ensure support for all encryption algorithms, install JCE.
  5. Encrypt data with one or all of these steps: