Configuring Local Encryption

Use locally-stored symmetric encryption keys to protect the following assets:

Local encryption guidelines

When you encrypt tables, hint files, commit logs, and configuration properties using a local key:

  • Create any number of local encryption keys using the dsetool createsystemkey command.

    • Tables can use different encryption keys.

      DataStax Enterprise (DSE) creates a unique key for each combination of cipher algorithm, key strength, and external local encryption key used in a table definition and stores it in the dse_system.encrypted_keys table. The local encryption key file is used to encrypt or decrypt the table key.

    • Configuration properties use the same key file that is defined by the config_encryption_key_name property.

    • All system resources use the same key file. (The file is not selectable.)

  • Distribute all local encryption key files cluster-wide. Put keys on all nodes in the same folder and define the location in the system_key_directory property in dse.yaml.

  • Ensure that the DSE account owns the system_key_directory and has read/write permission.

To change an encryption key, see Rekeying existing data.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax, an IBM Company | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com