Encrypting system resources

Protect sensitive data in the system keyspace, hint files, and commit logs.

Encrypt data in the system.batches and system.paxos tables, hint files, and commit logs using a local encryption key.

Note: If tracing is enabled, the system_traces keyspace also contains sensitive data; encrypt tables in the system_traces keyspace following the instructions in Encrypting tables.


The location of the dse.yaml file depends on the type of installation:
Package installations /etc/dse/dse.yaml
Tarball installations installation_location/resources/dse/conf/dse.yaml


Complete the key setup described in Setting up local encryption keys.
Note: When using a local encryption key file, set the location system_key_directory and ensure that the key file is owned by the account running DSE.


  1. In the dse.yaml file, configure encryption settings for system tables, the commit log, and the hints files.
      enabled: true
      cipher_algorithm: cipher_name
      secret_key_strength: key_length
      chunk_length_kb: default_table_chunk_size
    • Required. Set enabled to true.
    • Optional. Configure the type of encryption key to use:
      • cipher_algorithm: Set the name of a supported JCE cipher algorithm to use. For a list of support algorithms, see cipher_algorithm
      • secret_key_strength: Specify the key length.
      • chunk_length_kb: Size of SSTables. The default (64) is used if the option is excluded.
      When these properties are set, DSE only uses a key that matches; if no matching key exists, start up fails.
  2. Perform a rolling restart of DSE.
  3. To encrypt existing data, run nodetool upgradesstables -a system batchlog paxos on all nodes in the cluster.