Configuring local encryption

Use locally-stored symmetric encryption keys to protect the following assets:

Local encryption guidelines

When you encrypt tables, hint files, commit logs, and configuration properties using a local key:

  • Create any number of local encryption keys using the dsetool createsystemkey command.

    • Tables can use different encryption keys.

      DataStax Enterprise (DSE) creates a unique key for each combination of cipher algorithm, key strength, and external local encryption key used in a table definition, and stores it in the dse_system.encrypted_keys table. The local encryption key file is used to encrypt/decrypt the table key.

    • Configuration properties use the same key file that is defined by the config_encryption_key_name property.

    • All system resources use the same key file. (The file is not selectable.)

  • Distribute all local encryption key files cluster-wide. Put keys on all nodes in the same folder and define the location in the system_key_directory property of the dse.yaml.

  • Ensure that the DSE account owns the system_key_directory and has read/write permission.

    Setting up local encryption keys

    Create local key files and set the file name to use for table and configuration file properties.

    Encrypting configuration file properties

    Protect LDAP passwords in the dse.yaml and SSL truststore passwords cassandra.yaml files.

    Encrypting system resources

    Protect sensitive data in the system keyspace, hint files, and commit logs.

    Encrypting tables

    Configure table encryption using a local encryption key on a per table basis.

    Rekeying existing data

    Create a new local encryption key, change the table key filename, and re-encrypt the SSTables using the new key.

    Troubleshooting encryption key errors

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com