Set up local encryption keys to embed in installation package for development environments
You can create a local encryption or decryption key file that can be embedded in a distribution (tarball). In development environments this distribution package can then be used by other users. This strategy is especially helpful when using scripts with IT automation tools such as Ansible.
The current user must have write permission to the directory where you want to generate the key files. |
Set up local encryption keys for distribution
-
Specify the key file output directory when you create the encryption key. Use the
nodetool createsystemkey
command:For example:
nodetool createsystemkey 'AES/ECB/PKCS5Padding' 128 -d /home/jane/keys
Result: A key file
/home/jane/keys/system_key
is created. -
Verify that the key file was created successfully:
ls -la /home/jane/keys/
You should see a
system_key
file with restricted permissions (600).
Ensure that the HCD service account has read/write permissions to the key directory and files. Insufficient permissions will cause encryption operations to fail. |
-
In the distribution tarball, create a directory for the
system key
file. Use the default location,/etc/hcd/conf
, or add a new location. -
Locate the
hcd.yaml
configuration file. The location of this file depends on the type of installation:-
Package installations:
/etc/hcd/hcd.yaml
-
Tarball installations:
<installation_location>/resources/hcd/conf/hcd.yaml
-
-
Update the
hcd.yaml
file to include the encryption configuration:# HCD Config Version: 1.0 # Encryption configuration system_key_directory: /home/jane/keys config_encryption_key_name: system_key
The
system_key_directory
property specifies where HCD will look for encryption key files. Theconfig_encryption_key_name
property specifies the default key file name (defaults tosystem_key
if not specified). -
Verify the configuration is working by checking the HCD status:
nodetool status
If the command executes successfully, the configuration is properly loaded.
For production environments, consider also enabling system encryption by adding the following to your
|