Configuring local encryption

Use locally stored symmetric encryption keys to protect sensitive system resources, configuration file properties and/or database tables.

Use locally stored symmetric encryption keys to protect:

Local encryption guidelines

When you encrypt tables, hint files, commit logs, and configuration properties using a local key:

  • Create any number of local encryption keys using the dsetool createsystemkey command.
    • Tables can use different encryption keys.

      DataStax Enterprise creates a unique key for each combination of cipher algorithm, key strength, and external local encryption key used in a table definition and stores it in the dse_system.encrypted_keys table. The local encryption key file is used to encrypt/decrypt the table key.

    • Configuration properties use the same key file that is defined by the config_encryption_key_name property.
    • All system resources use the same key file. (The file is not selectable.)
  • Distribute all local encryption key files cluster-wide. Put keys on all nodes in the same folder and define the location in the system_key_directory property of the dse.yaml.
  • Ensure that the DataStax Enterprise account owns the system_key_directory and has read/write permission.