Encrypting system resources
Use a KMIP key to encrypt the system.batchlog and system.paxos tables, hint files and commit logs.
Prerequisites
Complete the steps in Adding a KMIP host.
|
If any of the defined |
Procedure
-
Locate the
dse.yamlconfiguration file. The location of this file depends on the type of installation:-
Package installations:
/etc/dse/dse.yaml -
Tarball installations:
<installation_location>/resources/dse/conf/dse.yaml
-
-
In the
dse.yamlfile, configure encryption settings for system tables, thecommitlog, and thehintsfiles.system_info_encryption: enabled: ( true | false ) cipher_algorithm: <cipher_name> secret_key_strength: <length> key_provider: KmipKeyProviderFactory kmip_host: <kmip_group_name> chunk_length_kb: 64-
Required properties:
-
enabled: Set totrue. On the next startup, system resources are encrypted. If the system tables have existing data, usenodetool upgradesstablesto apply encryption. -
key_provider: Set toKmipKeyProviderFactory. -
kmip_host: Use the group name from thekmip_hostssection.
-
-
Optional: To ensure that
KMIPgenerates a compatible key, configure the type of encryption key to use:-
cipher_algorithm: Set the name of a supported JCE cipher algorithm to use. DSE supports the following algorithms:Supported cipher algorithm names cipher_algorithm secret_key_strength AES
128, 192, or 256
DES
56
DESede
112 or 168
Blowfish
32-448
RC2
40-128
-
secret_key_strength: Specify the key length. -
chunk_length_kb: Configures chuck size for SSTables. The default64is used if the option is excluded. When these properties are set, DSE only uses a key that matches; if no matching key exists, start up fails.
-
-
-
To encrypt existing data, run
nodetool upgradesstables -a system batchlog paxoson all nodes in the cluster.
