Encrypt configuration file properties

Configure HCD to use a local encryption key to decrypt properties in the configuration file. Use passwords encrypted with the local key for the following properties:

  • hcd.yaml LDAP values:

    ldap_options.search_password
ldap_options.truststore_password

    Restriction: Use plain text for the KMIP keystore or truststore passwords.

  • cassandra.yaml SSL values:

    server_encryption_options.keystore_password
server_encryption_options.truststore_password
client_encryption_options.keystore_password
client_encryption_options.truststore_password

Prerequisites

Complete the key setup described in Setting up local encryption keys.

Procedure

  1. For each property, replace plain text passwords with encrypted passwords.

    1. Encrypt the password:

      dsetool encryptconfigvalue
      Using system key system_key

Enter value to encrypt:
Enter again to confirm:

Your encrypted value is:

+Vj5oHCR/jqfA+OJE2m8zA==

    2. Replace the old value with the new value in the configuration file, for example the SSL truststore password in the cassandra.yaml file:

      truststore_password: +Vj5oHCR/jqfA+OJE2m8zA==

      After the configuration file property encryption is enabled, DSE startup fails if any of the protected properties are not encrypted.

  2. Locate the hcd.yaml and cassandra.yaml configuration files. The location of these files depends on your installation type.

    hcd.yaml

    • Package installations

    • Tarball installations

    /etc/hcd/hcd.yaml
    INSTALLATION_LOCATION/resources/hcd/conf/hcd.yaml

    Replace INSTALLATION_LOCATION with the path where you extracted the HCD tarball.

    cassandra.yaml

    Package installations
    /etc/hcd/cassandra/cassandra.yaml
    Tarball installations
    INSTALLATION_LOCATION/resources/cassandra/conf/cassandra.yaml

    Replace INSTALLATION_LOCATION with the path where you extracted the HCD tarball.

  3. In the hcd.yaml file, enable configuration file property encryption:

    1. Set config_encryption_active to true.

      config_encryption_active: true

      When set to true, the configuration values must be encrypted or commented out.

      Restriction: Lifecycle Manager (LCM) is not compatible when config_encryption_active is true in DSE and OpsCenter. For LCM limitations, see Encrypted DSE configuration values.

    2. Set the local key encryption filename:

      config_encryption_key_name: <key_filename>

  4. Update the hcd.yaml and cassandra.yaml on all nodes in the cluster.

  5. Set up encryption for system resources, see Encrypt system resources.

  6. Perform a rolling restart of all nodes in the cluster.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax, an IBM Company | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com