Setting up Local Encryption Keys

Use dsetool createsystemkey to generate local encryption/decryption key files.

To change an encryption key, see Rekeying existing data.

Set up local encryption keys for production environments

After installing DSE, create a local encryption key file, distribute it to the same location on all nodes in the cluster, and then update the system_key_directory and config_encryption_key_name properties in dse.yaml. For package installations the dse.yaml file is located at /etc/dse/dse.yaml. For tarball installations the dse.yaml file is located at INSTALL_DIRECTORY/resources/dse/conf/dse.yaml.

  1. To ensure support for all encryption algorithms, enable JCE.

    Starting in JDK 8u161, JCE Unlimited is enabled by default.

  2. If the directory does not exist, create the /conf directory based on your DataStax Enterprise (DSE) installation type:

    • Package installation: /etc/dse/conf

    • Tarball installation: INSTALL_DIRECTORY/resources/dse/conf

  3. Configure the file name and the location of the encryption key in the dse.yaml file:

    1. Set system_key_directory property to the path where you want to store the encryption keys.

      system_key_directory: /etc/dse/conf

    2. Change the directory owner to the DSE account and ensure that the DSE account has read/write permissions.

    3. Set the config_encryption_key_name to the anticipated key name. Encryption key files can have any valid Unix name. The default name is system_key.

      config_encryption_key_name: system_key

  4. Change to the directory specified in system_key_directory:

    cd /etc/dse/conf

  5. Create an encryption key using the dsetool createsystemkey command.

    If config_encryption_active is set to true in dse.yaml, a warning is generated, but the system key still successfully generates.

    For example:

    dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 <key_name>
    key_name

    The name of the key file to create. This must match the key name you specified in config_encryption_key_name. If no file name is specified, the key file is named system_key.

    cipher_algorithm[/mode/padding]

    Sets the type of encryption key. DSE supports the following JCE algorithms and corresponding length values:

    • AES/CBC/PKCS5Padding: Valid with length 128, 192, or 256. The default is AES/CBC/PKCS5Padding with length 128.

    • AES/ECB/PKCS5Padding: Valid with length 128, 192, or 256.

    • DES/CBC/PKCS5Padding: Valid with length 56.

    • DESede/CBC/PKCS5Padding: Valid with length 112 or 168.

    • Blowfish/CBC/PKCS5Padding: Valid with length 32-448.

    • RC2/CBC/PKCS5Padding: Valid with length 40-128.

  6. Copy the key file to all other nodes in the cluster.

    Make sure the key file is in the same directory on all nodes.

  7. Update the system_key_directory and config_encryption_key_name in dse.yaml.

    dsetool reads current values from the dse.yaml. A restart is not required in order to continue setting up encryption.

  8. Ensure that the DSE account owns the key files and has read/write access on them. If necessary, change the ownership of the file to the DSE user:

    chown cassandra /etc/dse/conf/system_key

Setting up local encryption keys to embed in installation package for development environments

You can create a local encryption or decryption key file that can be embedded in a distribution (tarball). In development environments this distribution package can then be used by other users. This strategy is especially helpful when using scripts with IT automation tools such as Ansible.

The current user must have write permission to the directory where you want to generate the key files.

  1. Specify the key file output directory when you create the encryption key with the dsetool createsystemkey command. For example:

    dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 -d /home/jane/keys

    The key file is created at the specified path, such as /home/jane/keys/system_key.

  2. In the distribution tarball, create a directory for the system key file. Use the default location (/etc/dse/conf) or add a new location.

  3. Locate the dse.yaml configuration file. The location of this file depends on the type of installation:

    • Package installations: /etc/dse/dse.yaml

    • Tarball installations: INSTALL_DIRECTORY/resources/dse/conf/dse.yaml

  4. If you used a new location, then update the system_key_directory property in dse.yaml as appropriate.

Was this helpful?

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2025 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM