Setting up local encryption keys

Set up local encryption/decryption key files.

Use dsetool createsystemkey to generate local encryption/decryption key files.

Setting up local encryption keys for production environments

After installing DSE, create local encryption/decryption key files in production environments.

After installing DSE, create a local encryption/decryption key file, distribute it to the same location on all nodes in the cluster, and update the dse.yaml system_key_directory and config_encryption_key_name properties.

dse.yaml

The location of the dse.yaml file depends on the type of installation:
Package installations /etc/dse/dse.yaml
Tarball installations installation_location/resources/dse/conf/dse.yaml

Procedure

  1. To ensure support for all encryption algorithms, install JCE.
  2. Configure the filename of the key file in the dse.yaml file. The default file name is system_key.
    config_encryption_key_name: system_key
    Tip: Encryption key files can have any valid Unix name.
  3. To set the key file output directory, set system_key_directory property in dse.yaml to the path where you want to store the encryption keys. The default filepath is /etc/dse/conf.
    system_key_directory: /etc/dse/conf
  4. Change the key file output directory owner to the DSE account and ensure that the DSE account has read/write permissions.
  5. Create an encryption/decryption key using the dsetool createsystemkey command:
    For example:
    dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 
    Result:
    • A key file /etc/dse/conf/system_key is generated.
  6. Copy the key file to all other nodes in the cluster. Put keys on all nodes in the same directory.

Setting up local encryption keys to embed in installation package for development environments

Create local encryption/decryption keys that you can embed in a distribution package for development environments.

You can create a local encryption/decryption key file that can be embedded in a distribution (tarball). In development environments, this distribution package can then be used by other users. This strategy is especially helpful when using scripts with IT automation tools such as Ansible.

Tip: The current user must have write permission to the directory where you want to generate the key files.

dse.yaml

The location of the dse.yaml file depends on the type of installation:
Package installations /etc/dse/dse.yaml
Tarball installations installation_location/resources/dse/conf/dse.yaml

Procedure

  1. Specify the key file output directory when you create the encryption key with the dsetool createsystemkey command:
    For example:
    dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 -d /home/jane/keys
    Result: A key file /home/jane/keys/system_key is created.
  2. In the distribution tarball, create a directory for the system key file. Use the default location (/etc/dse/conf) or add a new location.
  3. If you used a new location, update the system_key_directory property in dse.yaml as appropriate.