Encrypting sensitive property values

Encrypting sensitive properties in the dse.yaml and cassandra.yaml configuration files.

DataStax recommends encrypting sensitive properties in the dse.yaml and cassandra.yaml on-disk configuration files.

The location of the dse.yaml file depends on the type of installation:

Installer-Services	/etc/dse/dse.yaml
Package installations	/etc/dse/dse.yaml
Installer-No Services	`install_location`/resources/dse/conf/dse.yaml
Tarball installations	`install_location`/resources/dse/conf/dse.yaml

The location of the cassandra.yaml file depends on the type of installation:

Installer-Services	/etc/dse/cassandra/cassandra.yaml
Package installations	/etc/dse/cassandra/cassandra.yaml
Installer-No Services	`install_location`/resources/cassandra/conf/cassandra.yaml
Tarball installations	`install_location`/resources/cassandra/conf/cassandra.yaml

Procedure

In dse.yaml, verify that the config_encryption_active property is false.
```
config_encryption_active: false
```
In the dse.yaml file, define where the system keys are stored on disk. Verify or set the system_key_directory property. The default value is /etc/dse/conf.
Generate a system key.
On-server:
```
dsetool createsystemkey cipher strength system_key_file
```
Off-server
```
dsetool createsystemkey cipher strength system_key_file -kmip=kmip_groupname
```
For example:
```
dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 system_key_file1
```
where:
- system_key_file is a unique file name for the system key file; in the example: system_key_file1
- cipher is a valid cipher_algorithm
- strength is the secret key strength
See Encryption/compression options and sub-options
You can create a global encryption key in the location that is specified by system_key_directory in the dse.yaml file. This default global encryption key is used when the system_key_file subproperty is not specified.
Change the file mode to allow the dse user to read the files:
```
chmod 666 system_key_file
```
Copy the returned value of the dsetool createsystemkey command into the system key file.
In the dse.yaml file, enter the file name of the system key file in the config_encryption_key_name property. For example, system_key_file1:
If you're using local keys, specify the local file:
```
config_encryption_key_name: system_key_file1
```
If you're using KMIP to store external keys, specify the KMIP service:
```
config_encryption_key_name: kmip://kmip_groupname/system_key_file
```
Note: Set the KMIP group name that matches a group configured in dse.yaml.

Use the dsetool encryptconfigvalue command for each property that you want to encrypt. This command takes no arguments and prompts for the value to encrypt.

One at a time, enter the encrypted value that is output for each property into the dse.yaml or cassandra.yaml configuration file. Ensure that each property is encrypted or commented out.

dse.yaml	ldap_options.search_password ldap_options.truststore_password
cassandra.yaml	server_encryption_options.keystore_password server_encryption_options.truststore_password client_encryption_options.keystore_password client_encryption_options.keystore_password

You cannot encrypt the KMIP keystore or truststore passwords.

In dse.yaml, set the config_encryption_active property to true:
```
config_encryption_active: true
```
When the config_encryption_active property is true, the configuration values must be encrypted or commented out.
Restart dse.