Configuring local encryption
Use locally-stored symmetric encryption keys to protect the following assets:
-
Configuration file property values: LDAP search, LDAP truststore, and SSL truststore passwords.
-
Sensitive system resources: System batchlog and paxos tables, hint files, and commit logs.
-
Table data: Any table.
-
Search indexes: All search indexes
When you encrypt tables, hint files, commit logs, and configuration properties using a local key:
-
Create any number of local encryption keys using the dsetool createsystemkey command.
-
Tables can use different encryption keys.
DataStax Enterprise (DSE) creates a unique key for each combination of cipher algorithm, key strength, and external local encryption key used in a table definition, and stores it in the
dse_system.encrypted_keystable. The local encryption key file is used to encrypt/decrypt the table key. -
Configuration properties use the same key file that is defined by the config_encryption_key_name property.
-
All system resources use the same key file. (The file is not selectable.)
-
-
Distribute all local encryption key files cluster-wide. Put keys on all nodes in the same folder and define the location in the
system_key_directoryproperty of the dse.yaml. -
Ensure that the DSE account owns the system_key_directory and has read/write permission.
If you need to reencrypt data with a new key, see Rekeying existing data.
For assistance with errors, see Troubleshooting encryption key errors.