Configure KMIP (Key Management Interoperability Protocol) encryption to use
encryption keys that are stored on another server.
Configure KMIP (Key Management Interoperability Protocol) encryption to use
encryption keys that are stored on another server. In addition to encrypting table data,
you can optionally encrypt passwords in configuration files and sensitive information in
system tables. When encryption keys are maintained on a KMIP key server, the keys
are cached by Cassandra locally in the memory heap when in use by the DSE
process.
The location of
the
dse.yaml file depends
on the type of installation:
Installer-Services |
/etc/dse/dse.yaml |
Package installations |
/etc/dse/dse.yaml |
Installer-No Services |
install_location/resources/dse/conf/dse.yaml |
Tarball installations |
install_location/resources/dse/conf/dse.yaml |
Use OpsCenter to configure an alert to monitor KMIP server
status.
Procedure
-
Back up SSTables.
-
Set the system_key_directory property in
the file.
- On a packaged installation, accept the default system_key_directory:
/etc/dse/conf. Go to the next step to set
permissions on the directory.
- On a tarball installation, optionally change the directory on each node
in the cluster from /etc/dse/conf to another directory,
or skip this step and adjust permissions as described in the next step. You
must configure the path to the system key to relocate the key to a directory
that you have permission to access.
- Navigate to
install-directory/resources/dse/conf.
- Open the file for
editing.
- Change the path of the system_key_directory to the path of a
directory that you have permission to access.
-
Set permissions on the directory that is set for the system_key_directory property in
the file to give rights to change the
keytab file only to the user role that is running DataStax Enterprise. JNA takes
care of setting these permissions.
-
Ensure that the role who encrypts data has been granted ALTER permission on the table that contains
the data to be encrypted. You can use LIST PERMISSIONS to view the permissions that are
granted to a role.
-
Perform host configuration for one or more KMIP key server groups.
-
Configure the KMIP key manager and authorize each DataStax Enterprise
node to the KMIP key server group. Consult the KMIP key server
documentation.
-
On each DataStax Enterprise node, open the
file in a text editor and
configure the KMIP key server group or key server groups in the kmip_hosts section.
Create a user-defined name for a group of options to configure a
KMIP server or servers, key settings, and certificates. Configure options for a
kmip_groupname section for each KMIP key server or group of KMIP
key servers. Using separate key server configuration settings allows use of different
key servers to encrypt table data, and eliminates the need to enter key server
configuration information in DDL statements and other configurations. Multiple KMIP
hosts are supported.
Option |
Description |
hosts |
A comma-separated list of hosts[:port] for the KMIP
key server. There is no load balancing. In failover scenarios,
failover occurs in the same order that servers are listed. For
example: hosts: kmip1.yourdomain.com,
kmip2.yourdomain.com
|
keystore_path |
The path to a java keystore that identifies
the DSE node to the KMIP key server. For example:
/path/to/keystore.jks
|
keystore_type |
The type of key store. The default value is
jks.
|
keystore_password |
The password to access the key
store. |
truststore_path |
The path to a java truststore that
identifies the KMIP key server to the DataStax Enterprise node. For
example: /path/to/truststore.jks |
truststore_type |
The type of truststore. The default
value is jks. |
truststore_password |
The password to access the
truststore. |
key_cache_millis |
Milliseconds to locally cache the
encryption keys that are read from the KMIP hosts. The longer the
encryption keys are cached, the fewer requests are made to the KMIP
key server, but the longer it takes for changes, like revocation, to
propagate to the DataStax Enterprise node. DataStax Enterprise uses
concurrent encryption, so multiple threads fetch the secret key from
the KMIP key server at the same time. Default: 300000. DataStax
recommends using the default value. |
timeout |
Socket timeout in milliseconds. Default:
1000. |
This example shows configuration settings for Vormetric and Thales key
servers:
kmip_hosts:
vormetricgroup:
hosts: vormetric1.mydomain.com, vormetric2.mydomain.com, vormetric3.mydomain.com
keystore_path: pathto/kmip/keystore.jks
keystore_type: jks
keystore_password: password
truststore_path: pathto/kmip/truststore.jks
truststore_type: jks
truststore_password: password
thalesgroup:
hosts: thales1.mydomain.com, thales2.mydomain.com
keystore_path: pathto/kmip/keystore.jks
keystore_type: jks
keystore_password: password
truststore_path: pathto/kmip/truststore.jks
truststore_type: jks
truststore_password: password
-
On each DataStax Enterprise node, confirm communication with the KMIP key
server and restart the node.
-
Use the dsetool utility to confirm communication.
$ dsetool managekmip list kmip_groupname
-
After communication between the DataStax Enterprise node and the KMIP
key server or servers is verified, restart the node. Repeat this step on
each node.
The DataStax Enterprise node will not start if it cannot connect
to the configured KMIP key server.
-
Set and use KMIP as the encryption key provider.
-
Set KMIP encryption
options when you create a table or alter an existing table.
- Optional:
Configure password encryption to encrypt stored passwords in the
configuration files. Use
dsetool
to generate the
required URL:
dsetool createsystemkey 'AES/ECB/PKCS5' 128 -k kmip_groupname
Edit the file in a
text editor. For the
config_encryption_key_name
property, paste the URL that is returned from the
dsetool
createsystemkey
utility. See
Encrypting sensitive property values.
- Optional:
Configure system table encryption to encrypt system
tables that contain sensitive information, including the Cassandra
commit log. Edit the file
in a text editor. In the
system_info_encryption section, comment out
key_name if it exists, and uncomment or add
key_provider and kmip_host:
system_info_encryption:
enabled: false
cipher_algorithm: AES
secret_key_strength: 128
chunk_length_kb: 64
key_provider: KmipKeyProviderFactory
kmip_host: kmip_groupname
Use
key_provider: KmipKeyProviderFactory
only to
specify a KMIP key server.
-
Use the dsetool
managekmip command to manage encryption keys that are stored on the
KMIP key server. See Managing off-server encryption keys.
-
Rewrite all SSTables using nodetool upgradesstables
--include-all-sstables to immediately store the tables on disk.