Encrypting system resources

Use a KMIP key to encrypt the system.batchlog and system.paxos tables, hint files and commit logs.

Prerequisites

Complete the steps in Adding a KMIP host.

If any of the defined KMIP groups are not available, DSE startup fails.

Procedure

  1. Locate the dse.yaml configuration file. The location of this file depends on the type of installation:

    • Package installations: /etc/dse/dse.yaml

    • Tarball installations: <installation_location>/resources/dse/conf/dse.yaml

  2. In the dse.yaml file, configure encryption settings for system tables, the commit log, and the hints files.

    system_info_encryption:
      enabled: ( true | false )
      cipher_algorithm: <cipher_name>
      secret_key_strength: <length>
      key_provider: KmipKeyProviderFactory
      kmip_host: <kmip_group_name>
      chunk_length_kb: 64
    • Required properties:

      • enabled: Set to true. On the next startup, system resources are encrypted. If the system tables have existing data, use nodetool upgradesstables to apply encryption.

      • key_provider: Set to KmipKeyProviderFactory.

      • kmip_host: Use the group name from the kmip_hosts section.

    • Optional: To ensure that KMIP generates a compatible key, configure the type of encryption key to use:

      • cipher_algorithm: Set the name of a supported JCE cipher algorithm to use. DSE supports the following algorithms:

        Supported cipher algorithm names
        cipher_algorithm secret_key_strength

        AES

        128, 192, or 256

        DES

        56

        DESede

        112 or 168

        Blowfish

        32-448

        RC2

        40-128

      • secret_key_strength: Specify the key length.

      • chunk_length_kb: Configures chuck size for SSTables. The default 64 is used if the option is excluded. When these properties are set, DSE only uses a key that matches; if no matching key exists, start up fails.

  3. Perform a rolling restart.

  4. To encrypt existing data, run nodetool upgradesstables -a system batchlog paxos on all nodes in the cluster.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com