Expiring an encryption key

Security policies generally limit the amount of time an encryption key is in use. This section describes how to expire a key without re-encrypting the existing data. After a key expires, it is no longer used to encrypt new data, but it is still used to decrypt existing data.

To change the key used for both encryption and decryption, see Rekeying tables using a new key.

Procedure

  1. Locate the dse.yaml configuration file. The location of this file depends on the type of installation:

    • Package installations: /etc/dse/dse.yaml

    • Tarball installations: <installation_location>/resources/dse/conf/dse.yaml

  2. Get a list of the available keys and states from the KMIP server:

    dsetool managekmip list kmip_group_name

    In this example result, a host named vormetricgroup has two keys:

    Keys on vormetricgroup:
    ID                                     Name               Cipher         State                Activation Date   Creation Date              Protect Stop Date   Keyspace
02-449   82413ef3-4fa6-4d4d-9dc8-71370d731fe4_0        AES/CBC/PKCS5   Deactivated   Mon Apr 25 20:25:47 UTC 2016             n/a                            n/a         n/a
02-540   0eb2277e-0acc-4adb-9241-1dd84dde691c_0                  AES        Active   Tue May 31 12:57:59 UTC 2016             n/a                            n/a

    DSE supports one or more KMIP hosts. Each KMIP host is defined under a user-defined kmip_group_name in the kmip_hosts section of the dse.yaml.

  3. Expire the key:

    • Immediately expire the key:

      dsetool managekmip expirekey kmip\_group\_name key\_id

    • Schedule an expiration date:

      dsetool managekmip expirekey kmip\_group\_name key\_id datetime

      After the key expires, the database gets a new key for encryption the next time it refreshes the key cache (key_cache_millis); the default setting is five minutes. Expired keys are still available to decrypt data.

  4. Optional: Force a refresh of the DSE key cache by performing a rolling restart.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com