Rekeying tables using a new key

Change the encryption key that is used for both encrypting new data and decrypting the existing data. Use these steps to secure the data after an event that potentially compromised an encryption key, such as a change in security administration staff. Before destroying the old key, revoke the compromised KMIP key, wait for the database key cache refresh, and then re-encrypt existing SSTables with the new key.

The database caches the encryption keys and refreshes the cache at an interval set by the key_cache_millis in dse.yaml (default setting is 5 minutes). To get a new key, either wait for the key cache refresh interval or perform a rolling restart.

The dsetool managekmip commands proxy KMIP commands to the corresponding host; the commands effect encryption keys as follows:

  • dsetool managekmip expirekey: Database stops using the key for encryption at the specified time and continues to use the expired key to decrypt existing data. Data re-keying is not required.

    Use this command to satisfy security policies that require periodically switching the encryption key.

  • dsetool managekmip revoke: Permanently disables the key on the KMIP server. Database can no longer use the key for encryption, but continues to use the key for decryption of existing data. Re-encrypt existing data before completely removing the key from the KMIP server.

    Use this command as the first step when replacing a compromised key.

  • dsetool managekmip destroy: Completely removes the key from the KMIP server. Database can no longer use the key for encryption or decryption. Existing data that has not been re-encrypted becomes inaccessible.

    Use this command only after revoking a key and re-encrypting existing data.

Procedure

  1. Back up SSTables.

  2. Revoke the compromised key using the dsetool:

    1. Get the ID of the KMIP encryption key you want to revoke from the KMIP server:

      dsetool managekmip list <kmip_groupname>

      The following is an example of a KMIP server that has two keys, active and deactivated.

      ID                                     Name          Cipher         State                Activation Date   Creation Date              Protect Stop Date   Namespace
02-449   82413ef3-4fa6-4d4d-9dc8-71370d731fe4_0   AES/CBC/PKCS5   Deactivated   Mon Apr 25 20:25:47 UTC 2016             n/a                            n/a         n/a
02-540   0eb2277e-0acc-4adb-9241-1dd84dde691c_0             AES        Active   Tue May 31 12:57:59 UTC 2016             n/a                            n/a         n/a

      DSE supports one or more KMIP hosts. Each KMIP host is defined under a user-defined kmip_group_name in the kmip_hosts section of the dse.yaml.

    2. Revoke the key you want to replace using the ID:

      dsetool managekmip expirekey <kmip_groupname> <key_id>

      Revoking permanently deactivates the key on the KMIP server. When the key cache refreshes a new key for encryption/decryption is automatically created. Revoked keys are used to decrypt existing data. DO NOT destroy the revoked key until after re-encrypting the existing data.

    3. Verify that the key State is Deactivated.

      dsetool managekmip list <kmip_groupname>

      The following is an example of a KMIP server that has two keys:

      ID                                     Name               Cipher         State                Activation Date   Creation Date              Protect Stop Date   Namespace
02-449   82413ef3-4fa6-4d4d-9dc8-71370d731fe4_0        AES/CBC/PKCS5   Deactivated   Mon Apr 25 20:25:47 UTC 2016             n/a                            n/a         n/a
02-540   0eb2277e-0acc-4adb-9241-1dd84dde691c_0                  AES   Deactivated   Tue May 31 12:57:59 UTC 2016             n/a   Thu Jul 27 17:16:38 UTC 2017

  3. Refresh the database key cache using one of the following methods:

    • Wait the amount of time specified in the key_cache_millis in dse.yaml setting before continuing to the next step.

    • Perform a rolling restart, see Starting and stopping.

      KMIP keys are cached on the DSE node. DSE refreshes the cache and a new key is automatically generated by the KMIP server after key_cache_millis in dse.yaml lapses; the default setting is 5 minutes.

  4. (Optional) Get a list of the affected tables to re-encrypt using the new key using the DESC keyspace command:

    For example to find all tables in the cycling keyspace that use the KMIP group:

    DESC KEYSPACE cycling

  5. Use nodetool upgradesstables to rewrite the encrypted SSTables using the new key. Run the following command on every node in the cluster:

    • Target only specific tables:

      nodetool upgradesstables --include-all-sstables <keyspace_name> <table_name> [<table_name> …]

    • Target specific keyspace:

      nodetool upgradesstables --include-all-sstables <keyspace_name>

    • All keyspaces and tables:

      nodetool upgradesstables --include-all-sstables

  6. (Optional) Remove the encryption key so that it is no longer available for decryption:

    dsetool managekmip destroy <key_id>

    The backed up SSTables are only accessible using the old key. Ensure that the data is accessible before removing the key.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com