Setting up local encryption keys

Create local key files and set the file name to use for table and configuration file properties.

Create a local encryption key file, distribute it to the same location on all nodes in the cluster, and update the dse.yaml system_key_directory and config_encryption_key_name properties.
Note: To change an encryption key, see Rekeying existing data.

dse.yaml

The location of the dse.yaml file depends on the type of installation:

Package installations
Installer-Services installations

/etc/dse/dse.yaml

Tarball installations
Installer-No Services installations

installation_location/resources/dse/conf/dse.yaml

Procedure

  1. To ensure support for all encryption algorithms, install JCE.
  2. Configure the filename and the location of the encryption key in the dse.yaml file:
    1. Set system_key_directory property to the path where you want to store the encryption keys.
      system_key_directory: /etc/dse/conf
    2. Change the directory owner to the DSE account and ensure that the DSE account has read/write permissions.
    3. Set the config_encryption_key_name to the key_name. The default name is system_key.
      config_encryption_key_name: system_key
  3. Go to the system_key_directory and then create an encryption key using the dsetool createsystemkey command:
    For example:
    dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 key_name
    Where key_name is the filename. If no filename is specified, the key file is named system_key. DSE supports the following JCE cipher algorithms and corresponding length:
    cipher_algorithm[/mode/padding]
    DSE supports the following JCE cipher algorithms and corresponding length:
    • AES/CBC/PKCS5Padding (valid with length 128, 192, or 256).
    • AES/ECB/PKCS5Padding (valid with length 128, 192, or 256)
    • DES/CBC/PKCS5Padding (valid with length 56)
    • DESede/CBC/PKCS5Padding (valid with length 112 or 168)
    • Blowfish/CBC/PKCS5Padding (valid with length 32-448)
    • RC2/CBC/PKCS5Padding (valid with length 40-128)
    Default value: AES/CBC/PKCS5Padding (with length 128)
    Note: Encryption key files can have any valid Unix name.
  4. Copy the key file to all other nodes in the cluster and update the system_key_directory and system_key_directory in the dse.yaml.
    Note: dsetool reads current values from the dse.yaml. A restart is NOT required to continue setting up encryption.