• Glossary
  • Support
  • Downloads
  • DataStax Home
Get Live Help
Expand All
Collapse All

DataStax Enterprise 6.8 Security Guide

    • About DSE Advanced Security
    • Security FAQs
    • Security checklists
    • Securing the environment
      • Securing ports
      • Securing the TMP directory
    • Authentication and authorization
      • Configuring authentication and authorization
        • About DSE Unified Authentication
          • Steps for new deployment
          • Steps for production environments
        • Configuring security keyspaces
        • Setting up Kerberos
          • Kerberos guidelines
          • Enabling JCE Unlimited
            • Removing AES-256
          • Preparing DSE nodes for Kerberos
            • DNS and NTP
            • krb5.conf
            • Principal
            • Keytab
        • Enabling authentication and authorization
          • Defining a Kerberos scheme
          • Defining an LDAP scheme
        • Configuring JMX authentication
        • Configuring cache settings
        • Securing schema information
      • Managing database access
        • About RBAC
        • Setting up logins and users
          • Adding a superuser login
          • Adding database users
          • LDAP users and groups
            • LDAP logins
            • LDAP groups
          • Kerberos principal logins
          • Setting up roles for applications
          • Binding a role to an authentication scheme
        • Assigning permissions
          • Database object permissions
            • Data resources
            • Functions and aggregate resources
            • Search indexes
            • Roles
            • Proxy login and execute
            • Authentication schemes
            • DSE Utilities (MBeans)
            • Analytic applications
            • Remote procedure calls
          • Separation of duties
          • Keyspaces and tables
          • Row Level Access Control (RLAC)
          • Search index permissions
          • DataStax Graph keyspace
          • Spark application permissions
          • DataStax Studio permissions
          • Remote procedure calls
          • DSE client-tool spark
          • JMX MBean permissions
          • Deny (denylist) db object permission
          • Restricting access to data
      • Providing credentials from DSE tools
        • About clients
        • Internal and LDAP authentication
          • Command line
          • File
          • Environment variables
          • Using CQLSH
        • Kerberos
          • JAAS configuration file location
          • Keytab
          • Ticket Cache
          • Spark jobs
          • SSTableLoader
          • Graph and gremlin-console
          • dsetool
          • CQLSH
        • Nodetool
        • JConsole
    • Auditing database activity
      • Enabling database auditing
      • Capturing DSE Search HTTP requests
      • Log formats
      • View events from DSE audit table
    • Transparent data encryption
      • About Transparent Data Encryption
      • Configuring local encryption
        • Setting up local encryption keys
        • Encrypting configuration file properties
        • Encrypting system resources
        • Encrypting tables
        • Rekeying existing data
        • Using tools with TDE-encrypted SSTables
        • Troubleshooting encryption key errors
      • Configuring KMIP encryption
      • Encrypting Search indexes
        • Encrypting new Search indexes
        • Encrypting existing Search indexes
        • Tuning encrypted Search indexes
      • Migrating encrypted tables from earlier versions
      • Bulk loading data between TDE-enabled clusters
    • Configuring SSL
      • Steps for configuring SSL
      • Creating SSL certificates, keystores, and truststores
        • Remote keystore provider
        • Local keystore files
      • Securing node-to-node connections
      • Securing client-to-node connections
        • Configuring JMX on the server side
        • nodetool, nodesync, dsetool, and Advanced Replication
        • JConsole (JMX)
        • SSTableloader
        • Connecting to SSL-enabled nodes using cqlsh
      • Enabling SSL encryption for DSEFS
      • Reference: SSL instruction variables
    • Securing Spark connections
  • DataStax Enterprise 6.8 Security Guide
  • Transparent data encryption
  • Configuring local encryption
  • Setting up local encryption keys

Setting up Local Encryption Keys

Use dsetool createsystemkey to generate local encryption/decryption key files.

To change an encryption key, see Rekeying existing data.

Setting up local encryption keys for production environments

After installing DSE, create a local encryption key file, distribute it to the same location on all nodes in the cluster, and update the dse.yaml system_key_directory and config_encryption_key_name properties.

The location of the dse.yaml file depends on the type of installation:

  • Package installations: /etc/dse/dse.yaml

  • Tarball installations: <installation_location>/resources/dse/conf/dse.yaml

To change an encryption key, see Rekeying existing data.

Prerequisites

To ensure support for all encryption algorithms, enable JCE.

Starting in JDK 8u161, JCE Unlimited is enabled by default. Refer to the Release Notes for JDK 8u161.

Procedure

  1. If the directory does not exist, create the /conf directory based on your DataStax Enterprise (DSE) installation type:

    • Package installation: /etc/dse/conf

    • Tarball installation: <installation_location>/resources/dse/conf

  2. Configure the file name and the location of the encryption key in the dse.yaml file:

    1. Set system_key_directory property to the path where you want to store the encryption keys.

      system_key_directory: /etc/dse/conf
    2. Change the directory owner to the DSE account and ensure that the DSE account has read/write permissions.

    3. Set the config_encryption_key_name to the <key_name>. The default name is system_key.

      config_encryption_key_name: system_key

      Encryption key files can have any valid Unix name.

  3. Go to the system_key_directory and then create an encryption key using the dsetool createsystemkey command:

    For example:

    cd /etc/dse/conf
    dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 <key_name>

    Where <key_name> is the name of the key file to create. If no file name is specified, the key file is named system_key.

    Encryption key files can have any valid Unix name.

    DSE supports the following JCE cipher algorithms and corresponding length:

    • cipher_algorithm[/mode/padding]

      DSE supports the following JCE cipher algorithms:

      • AES/CBC/PKCS5Padding (valid with length 128, 192, or 256).

      • AES/ECB/PKCS5Padding (valid with length 128, 192, or 256)

      • DES/CBC/PKCS5Padding (valid with length 56)

      • DESede/CBC/PKCS5Padding (valid with length 112 or 168)

      • Blowfish/CBC/PKCS5Padding (valid with length 32-448)

      • RC2/CBC/PKCS5Padding (valid with length 40-128) Default value: AES/CBC/PKCS5Padding (with length 128).

        If config_encryption_active is set to true in dse.yaml, a warning is generated, but the system key still successfully generates.

  4. Copy the key file to all other nodes in the cluster. Put keys on all nodes in the same directory.

  5. Update the system_key_directory and config_encryption_key_name in dse.yaml.

    dsetool reads current values from the dse.yaml. A restart is not required in order to continue setting up encryption.

  6. Ensure that the DSE account owns the key files and has read/write access on them. If necessary, change the ownership of the file to the DSE user.

    chown cassandra /etc/dse/conf/system_key

Setting up local encryption keys to embed in installation package for development environments

You can create a local encryption or decryption key file that can be embedded in a distribution (tarball). In development environments this distribution package can then be used by other users. This strategy is especially helpful when using scripts with IT automation tools such as Ansible.

The current user must have write permission to the directory where you want to generate the key files.

Procedure

  1. Specify the key file output directory when you create the encryption key with the dsetool createsystemkey command:

    For example:

    dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 -d /home/jane/keys

    Result: A key file /home/jane/keys/system_key is created.

  2. In the distribution tarball, create a directory for the system key file. Use the default location (/etc/dse/conf) or add a new location.

  3. Locate the dse.yaml configuration file. The location of this file depends on the type of installation:

    • Package installations: /etc/dse/dse.yaml

    • Tarball installations: <installation_location>/resources/dse/conf/dse.yaml

  4. If you used a new location, then update the system_key_directory property in dse.yaml as appropriate.

Configuring local encryption Encrypting configuration file properties

General Inquiries: +1 (650) 389-6000 info@datastax.com

© DataStax | Privacy policy | Terms of use

DataStax, Titan, and TitanDB are registered trademarks of DataStax, Inc. and its subsidiaries in the United States and/or other countries.

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.

Kubernetes is the registered trademark of the Linux Foundation.

landing_page landingpage