Encrypting configuration file properties

Configure DSE to use a KMIP encryption key to decrypt sensitive configuration properties. Use passwords encrypted with the KMIP key for the following properties:

  • dse.yaml LDAP values:

    ldap_options.search_password
ldap_options.truststore_password

    Restriction: Use plain text for the KMIP keystore or truststore passwords.

  • cassandra.yaml SSL values:

    server_encryption_options.keystore_password
server_encryption_options.truststore_password
client_encryption_options.keystore_password
client_encryption_options.truststore_password

DataStax Enterprise caches encryption keys from the KMIP host and refreshes the cache at the interval set by the key_cache_millis property in dse.yaml; the default setting is five minutes.

Prerequisites

Complete the steps in Adding a KMIP host.

If any of the defined KMIP groups are not available, DSE startup fails.

Prerequisites

Complete the steps in Adding a KMIP host.

If any of the defined KMIP groups are not available, DSE startup fails.

Procedure

  1. Back up the configuration files.

  2. Get the URL of the KMIP encryption key:

    • To create a new key and get the URL:

      dsetool createsystemkey '<AES/ECB/PKCS5>' 128 -k <kmip_group_name>

      The example output shows the URL for the <host_name> in the dse.yaml with ID: 02-1655.

      kmip://<host_name>/02-1655

    • To use an existing KMIP key, the URL syntax is kmip://<kmip_group_name>/<ID>. To look up the key ID:

      dsetool managekmip list <kmip_group_name>

      For example, the <host_name> has the following keys:

      Keys on <host_name>:
    ID                                     Name               Cipher         State                Activation Date   Creation Date              Protect Stop Date   Namespace
02-449   82413ef3-4fa6-4d4d-9dc8-71370d731fe4_0        AES/CBC/PKCS5   Deactivated   Mon Apr 25 20:25:47 UTC 2016             n/a                            n/a         n/a
02-540   0eb2277e-0acc-4adb-9241-1dd84dde691c_0                  AES        Active   Tue May 31 12:57:59 UTC 2016             n/a                            n/a`

      The URL of the second key in the list is kmip://<host_name>/02-540.

  3. Configure system property encryption settings in the dse.yaml.

    1. Enable system property encryption:

      config_encryption_active: true

    2. Set the URL of the KMIP key used to decrypt properties:

      config_encryption_key_name: <KMIP_key_URL>

      Where <KMIP_key_URL> format is kmip://kmip_group_name/key-id, for example kmip://<host_name>/02-1655.

  4. For each property, replace plain text passwords with encrypted passwords returned by running the dsetool encryptconfigvalue command:

    1. Encrypt the password:

      dsetool encryptconfigvalue
      Using system key system_key

Enter value to encrypt:
Enter again to confirm:

Your encrypted value is:

+Vj5oHCR/jqfA+OJE2m8zA==

    2. Replace the old value with the new value in the configuration file, for example the SSL truststore password in the cassandra.yaml:

      truststore_password: +Vj5oHCR/jqfA+OJE2m8zA==

      Once configuration file property encryption is enabled, DSE startup fails if any of the protected properties are not encrypted.

  5. Optional. Set up system resource encryption.

  6. Perform a rolling restart.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com