Encrypting using local encryption keys

To encrypt data using encryption keys that are stored locally, use the dse command to create a system key for encryption.

The high-level overview of the steps to encrypt data using encryption keys that are stored locally:
  1. Use the dse command to create a system key for encryption.
  2. Next, copy the system key to the other nodes in the cluster.
The entire cluster uses the system key to decrypt SSTables for operations such as repair. You also use the system key during upgrading and restoring SSTables that might have been corrupted.
The location of the dse.yaml file depends on the type of installation:
Installer-Services /etc/dse/dse.yaml
Package installations /etc/dse/dse.yaml
Installer-No Services install_location/resources/dse/conf/dse.yaml
Tarball installations install_location/resources/dse/conf/dse.yaml

Procedure

Follow these detailed steps to encrypt data using encryption keys that are stored locally:

  1. Back up SSTables.
  2. Set the system_key_directory property in the dse.yaml file.
    • On a packaged installation, accept the default system_key_directory: /etc/dse/conf. Go to the next step to set permissions on the directory.
    • On a tarball installation, optionally change the directory on each node in the cluster from /etc/dse/conf to another directory, or skip this step and adjust permissions as described in the next step. You must configure the path to the system key to relocate the key to a directory that you have permission to access.
      • Navigate to install-directory/resources/dse/conf.
      • Open the dse.yaml file for editing.
      • Change the path of the system_key_directory to the path of a directory that you have permission to access.
  3. Set permissions on the directory that is set for the system_key_directory property in the dse.yaml file to give rights to change the keytab file only to the user role that is running DataStax Enterprise. JNA takes care of setting these permissions.
  4. Ensure that the role who encrypts data has been granted ALTER permission on the table that contains the data to be encrypted. You can use LIST PERMISSIONS to view the permissions that are granted to a role.
  5. Create a system key using the dsetool createsystemkey command:
    For example:
    $ dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 system_key
  6. Restart the cluster.
  7. Copy the created key to the directory that is set for the system_key_directory property in the dse.yaml file to each node in the cluster.
  8. Set encryption options when you create a table or alter an existing table.
    Tables are encrypted when Cassandra stores the tables on disk as SSTables.
  9. Rewrite all SSTables using nodetool upgradesstables --include-all-sstables to immediately store the tables on disk.
  10. After encrypted SSTables are flushed to disk, you can verify that the dse_system keyspace and encrypted_keys table exist:
    cqlsh:mykeyspace> DESCRIBE KEYSPACES;
    
    system  dse_system  mykeyspace  system_traces

    On all nodes, the system key appears when selected from the dse_system.encrypted_keys table:

    cqlsh:mykeyspace> SELECT * FROM dse_system.encrypted_keys;
     
    key_file   | cipher | strength | key_id        | key
    -----------+--------+----------+---------------+-----------
    system_key |    AES |      128 | 2e4ea4a0-... | uyBEGhX...