Setting up local encryption keys

Create a local encryption key file, distribute it to the same location on all nodes in the cluster, and update the dse.yaml system_key_directory and config_encryption_key_name properties.

To change an encryption key, see Rekeying existing data.


To ensure support for all encryption algorithms, enable JCE Unlimited.


  1. If the directory does not exist, create the /conf directory based on your DataStax Enterprise (DSE) installation type:

    • Package installation

    • Tarball installation

  2. Configure the file name and the location of the encryption key in the dse.yaml file:

    1. Set system_key_directory property in the dse.yaml to the path where you want to store the encryption keys.

      system_key_directory: /etc/dse/conf
    2. Change the directory owner to the DSE account and ensure that the DSE account has read/write permissions.

    3. Set the config_encryption_key_name to the <key_name> in the dse.yaml. The default name is system_key.

      config_encryption_key_name: system_key
  3. Go to the system_key_directory from the dse.yaml, and then create an encryption key using the dsetool createsystemkey command:

    For example:

    cd /etc/dse/conf
    dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 <key_name>

    Where <key_name> is the name of the key file to create. If no file name is specified, the key file is named system_key. DSE supports the following JCE cipher algorithms and corresponding length:


    DSE supports the following JCE cipher algorithms and corresponding length:

    • AES/CBC/PKCS5Padding (valid with length 128, 192, or 256).

    • AES/ECB/PKCS5Padding (valid with length 128, 192, or 256)

    • DES/CBC/PKCS5Padding (valid with length 56)

    • DESede/CBC/PKCS5Padding (valid with length 112 or 168)

    • Blowfish/CBC/PKCS5Padding (valid with length 32-448)

    • RC2/CBC/PKCS5Padding (valid with length 40-128) Default: AES/CBC/PKCS5Padding (with length 128).

    Default: AES/CBC/PKCS5Padding (with length 128).

    Encryption key files can have any valid Unix name.

    If config_encryption_active is set to <true> in dse.yaml, a warning is generated, but the system key is still successfully generated.

  4. Copy the key file to all other nodes in the cluster and update the system_key_directory and config_encryption_key_name in dse.yaml.

    dsetool reads current values from dse.yaml. A restart is not required to continue configuring encryption.

  5. Ensure that the DSE account owns the key files and has read/write access on them. If necessary, change the ownership of the file to the DSE user.

    chown cassandra /etc/dse/conf/system_key

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000,