`dsetool createsystemkey`

Where is the dse.yaml file?

The location of the dse.yaml file depends on the type of installation:

Installation Type Location

Installation Type	Location
Package installations + Installer-Services installations	`/etc/dse/dse.yaml`
Tarball installations + Installer-No Services installations	`<installation_location>/resources/dse/conf/dse.yaml`

Package installations + Installer-Services installations

/etc/dse/dse.yaml

Tarball installations + Installer-No Services installations

<installation_location>/resources/dse/conf/dse.yaml

Creates an encryption/decryption key for transparent data encryption (TDE). You can specify a file name to create a local key or KMIP options to create a remote key.

See Transparent data encryption.

Synopsis

dsetool createsystemkey
[cipher_algorithm[/mode/padding]
[length] [key_name]
[-d filepath] [-k=kmip_groupname]
[-t kmip_template] [-n namespace]]

Syntax conventions

Syntax conventions Description

Syntax conventions	Description
UPPERCASE	Literal keyword.
Lowercase	Not literal.
`Italics`	Variable value. Replace with a valid option or user-defined value.
`[ ]`	Optional. Square brackets ( `[ ]` ) surround optional command arguments. Do not type the square brackets.
`( )`	Group. Parentheses ( `( )` ) identify a group to choose from. Do not type the parentheses.
`\|`	Or. A vertical bar ( `\|` ) separates alternative elements. Type any one of the elements. Do not type the vertical bar.
`...`	Repeatable. An ellipsis ( `...` ) indicates that you can repeat the syntax element as often as required.
`'Literal string'`	Single quotation ( `'` ) marks must surround literal strings in CQL statements. Use single quotation marks to preserve upper case.
`{ key:value }`	Map collection. Braces ( `{ }` ) enclose map collections or key value pairs. A colon separates the key and the value.
`<datatype1,datatype2>`	Set, list, map, or tuple. Angle brackets ( `< >` ) enclose data types in a set, list, map, or tuple. Separate the data types with a comma.
`cql_statement;`	End CQL statement. A semicolon ( `;` ) terminates all CQL statements.
`[ -- ]`	Separate the command line options from the command arguments with two hyphens ( `--` ). This syntax is useful when arguments might be mistaken for command line options.
`' <schema> … </schema> '`	Search CQL only: Single quotation marks ( `'` ) surround an entire XML schema declaration.
`@xml_entity='xml_entity_type'`	Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrconfig files.

UPPERCASE

Literal keyword.

Lowercase

Not literal.

Italics

Variable value. Replace with a valid option or user-defined value.

[ ]

Optional. Square brackets ( [ ] ) surround optional command arguments. Do not type the square brackets.

( )

Group. Parentheses ( ( ) ) identify a group to choose from. Do not type the parentheses.

|

Or. A vertical bar ( | ) separates alternative elements. Type any one of the elements. Do not type the vertical bar.

...

Repeatable. An ellipsis ( ... ) indicates that you can repeat the syntax element as often as required.

'Literal string'

Single quotation ( ' ) marks must surround literal strings in CQL statements. Use single quotation marks to preserve upper case.

{ key:value }

Map collection. Braces ( { } ) enclose map collections or key value pairs. A colon separates the key and the value.

<datatype1,datatype2>

Set, list, map, or tuple. Angle brackets ( < > ) enclose data types in a set, list, map, or tuple. Separate the data types with a comma.

cql_statement;

End CQL statement. A semicolon ( ; ) terminates all CQL statements.

[ -- ]

Separate the command line options from the command arguments with two hyphens ( -- ). This syntax is useful when arguments might be mistaken for command line options.

' <schema> … </schema> '

Search CQL only: Single quotation marks ( ' ) surround an entire XML schema declaration.

@xml_entity='xml_entity_type'

Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrconfig files.

cipher_algorithm[/mode/padding]

DSE supports the following JCE cipher algorithms and corresponding length:

AES/CBC/PKCS5Padding (valid with length 128, 192, or 256).
AES/ECB/PKCS5Padding (valid with length 128, 192, or 256)
DES/CBC/PKCS5Padding (valid with length 56)
DESede/CBC/PKCS5Padding (valid with length 112 or 168)
Blowfish/CBC/PKCS5Padding (valid with length 32-448)
RC2/CBC/PKCS5Padding (valid with length 40-128) Default: AES/CBC/PKCS5Padding (with length 128).

-d filepath, --directory filepath

Key file output directory. Enables creating key files before DSE is installed. This option is typically used by IT automation tools like Ansible. When no directory is specified, keys are saved to the value of system_key_directory in dse.yaml.

length

Required if cipher_algorithm is specified. Key length is not required for HMAC algorithms. Default value: 128 (with the default cipher algorithm AES/CBC/PKCS5Padding)

file_name

Unique file name for the generated system key file. Encryption key files can have any valid Unix name. If no name is specified, the default file name is system_key. The default key file name is not configurable. The location of the key is specified with system_key_directory in dse.yaml.

-k=kmip_groupname

The name of the KMIP group that is defined in the kmip_hosts section of dse.yaml.

-t kmip_template

The key template on the specified KMIP provider.

-n namespace

Namespace on the specified KMIP provider.

Examples

To create an on-server key file:

dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 system_key2

where system_key2 is the unique file name for the generated on-server key file.

To create an off-server key file:

dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 system_key2 -kmip=group2

where group2 is the key server group defined in the kmip_hosts section of dse.yaml.

To create a local key file in a specific directory:

dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 -d /mydir