Set up local encryption keys to embed in installation package for development environments

You can create a local encryption or decryption key file that can be embedded in a distribution (tarball). In development environments this distribution package can then be used by other users. This strategy is especially helpful when using scripts with IT automation tools such as Ansible.

The current user must have write permission to the directory where you want to generate the key files.

Set up local encryption keys for distribution

  1. Specify the key file output directory when you create the encryption key. Use the nodetool createsystemkey command:

    For example:

    nodetool createsystemkey 'AES/ECB/PKCS5Padding' 128 -d /home/jane/keys

    Result: A key file /home/jane/keys/system_key is created.

  2. Verify that the key file was created successfully:

    ls -la /home/jane/keys/

    You should see a system_key file with restricted permissions (600).

Ensure that the HCD service account has read/write permissions to the key directory and files. Insufficient permissions will cause encryption operations to fail.

  1. In the distribution tarball, create a directory for the system key file. Use the default location, /etc/hcd/conf, or add a new location.

  2. Locate the hcd.yaml configuration file. The location of this file depends on the type of installation:

    • Package installations: /etc/hcd/hcd.yaml

    • Tarball installations: <installation_location>/resources/hcd/conf/hcd.yaml

  3. Update the hcd.yaml file to include the encryption configuration:

    # HCD Config Version: 1.0
    
    # Encryption configuration
    system_key_directory: /home/jane/keys
    config_encryption_key_name: system_key

    The system_key_directory property specifies where HCD will look for encryption key files. The config_encryption_key_name property specifies the default key file name (defaults to system_key if not specified).

  4. Verify the configuration is working by checking the HCD status:

    nodetool status

    If the command executes successfully, the configuration is properly loaded.

For production environments, consider also enabling system encryption by adding the following to your hcd.yaml:

system_info_encryption:
  enabled: true
  cipher_algorithm: AES/ECB/PKCS5Padding
  secret_key_strength: 128
  chunk_length_kb: 64

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com