Configuring local encryption
Use locally-stored symmetric encryption keys to protect the following assets:
-
Configuration file property values: LDAP search, LDAP truststore, and SSL truststore passwords.
-
Sensitive system resources: System batchlog and paxos tables, hint files, and commit logs.
-
Table data: Any table.
-
Search indexes: All search indexes
Local encryption guidelines
When you encrypt tables, hint files, commit logs, and configuration properties using a local key:
-
Create any number of local encryption keys using the dsetool createsystemkey command.
-
Tables can use different encryption keys.
DataStax Enterprise (DSE) creates a unique key for each combination of cipher algorithm, key strength, and external local encryption key used in a table definition, and stores it in the
dse_system.encrypted_keystable. The local encryption key file is used to encrypt/decrypt the table key. -
Configuration properties use the same key file that is defined by the config_encryption_key_name property.
-
All system resources use the same key file. (The file is not selectable.)
-
-
Distribute all local encryption key files cluster-wide. Put keys on all nodes in the same folder and define the location in the
system_key_directoryproperty of the dse.yaml. -
Ensure that the DSE account owns the system_key_directory and has read/write permission.
- Setting up local encryption keys
-
Create local key files and set the file name to use for table and configuration file properties.
- Encrypting configuration file properties
-
Protect LDAP passwords in the dse.yaml and SSL truststore passwords cassandra.yaml files.
- Encrypting system resources
-
Protect sensitive data in the system keyspace, hint files, and commit logs.
- Encrypting tables
-
Configure table encryption using a local encryption key on a per table basis.
- Rekeying existing data
-
Create a new local encryption key, change the table key filename, and re-encrypt the SSTables using the new key.
- Troubleshooting encryption key errors
