Encrypt configuration file properties
Configure HCD to use a local encryption key to decrypt properties in the configuration file. Use passwords encrypted with the local key for the following properties:
-
hcd.yaml
LDAP values:ldap_options.search_password ldap_options.truststore_password
Restriction: Use plain text for the
KMIP
keystore or truststore passwords. -
cassandra.yaml
SSL values:server_encryption_options.keystore_password server_encryption_options.truststore_password client_encryption_options.keystore_password client_encryption_options.truststore_password
Prerequisites
Complete the key setup described in Setting up local encryption keys.
Procedure
-
For each property, replace plain text passwords with encrypted passwords.
-
Encrypt the password:
dsetool encryptconfigvalue
Using system key system_key Enter value to encrypt: Enter again to confirm: Your encrypted value is: +Vj5oHCR/jqfA+OJE2m8zA==
-
Replace the old value with the new value in the configuration file, for example the SSL truststore password in the
cassandra.yaml
file:truststore_password: +Vj5oHCR/jqfA+OJE2m8zA==
After the configuration file property encryption is enabled, DSE startup fails if any of the protected properties are not encrypted.
-
-
Locate the
hcd.yaml
andcassandra.yaml
configuration files. The location of these files depends on your installation type.hcd.yaml
-
Package installations
-
Tarball installations
/etc/hcd/hcd.yaml
INSTALLATION_LOCATION/resources/hcd/conf/hcd.yaml
Replace INSTALLATION_LOCATION with the path where you extracted the HCD tarball.
cassandra.yaml
- Package installations
/etc/hcd/cassandra/cassandra.yaml
- Tarball installations
-
INSTALLATION_LOCATION/resources/cassandra/conf/cassandra.yaml
Replace INSTALLATION_LOCATION with the path where you extracted the HCD tarball.
-
-
In the
hcd.yaml
file, enable configuration file property encryption:-
Set config_encryption_active to
true
.config_encryption_active: true
When set to
true
, the configuration values must be encrypted or commented out.Restriction: Lifecycle Manager (LCM) is not compatible when
config_encryption_active
istrue
in DSE and OpsCenter. For LCM limitations, see Encrypted DSE configuration values. -
Set the local key encryption filename:
config_encryption_key_name: <key_filename>
-
-
Update the
hcd.yaml
andcassandra.yaml
on all nodes in the cluster. -
Set up encryption for system resources, see Encrypt system resources.
-
Perform a rolling restart of all nodes in the cluster.