Encrypt configuration file properties
Configure HCD to use a local encryption key to decrypt properties in the configuration file. Use passwords encrypted with the local key for the following properties:
-
hcd.yaml
LDAP values:ldap_options.search_password ldap_options.truststore_password
Restriction: Use plain text for the
KMIP
keystore or truststore passwords. -
cassandra.yaml
SSL values:server_encryption_options.keystore_password server_encryption_options.truststore_password client_encryption_options.keystore_password client_encryption_options.truststore_password
Prerequisites
Complete the key setup described in Setting up local encryption keys.
Procedure
-
For each property, replace plain text passwords with encrypted passwords.
-
Encrypt the password:
dsetool encryptconfigvalue
Using system key system_key Enter value to encrypt: Enter again to confirm: Your encrypted value is: +Vj5oHCR/jqfA+OJE2m8zA==
-
Replace the old value with the new value in the configuration file, for example the SSL truststore password in the
cassandra.yaml
file:truststore_password: +Vj5oHCR/jqfA+OJE2m8zA==
After the configuration file property encryption is enabled, DSE startup fails if any of the protected properties are not encrypted.
-
-
Locate the
hcd.yaml
andcassandra.yaml
configuration files. The location of these files depends on the type of installation:Filename
File Location
hcd.yaml
Package installations:
/etc/hcd/hcd.yaml
Tarball installations:
<installation_location>/resources/hcd/conf/hcd.yaml
cassandra.yaml
Package installations:
/etc/hcd/cassandra/cassandra.yaml
Tarball installations:
<installation_location>/resources/cassandra/conf/cassandra.yaml
-
in the
hcd.yaml
file, enable configuration file property encryption:config_encryption_active: true
When set to
true
, the configuration values must be encrypted or commented out.Restriction: Lifecycle Manager (LCM) is not compatible when
config_encryption_active
istrue
in DSE and OpsCenter. For LCM limitations, see Encrypted DSE configuration values.-
Set the local key encryption filename:
config_encryption_key_name: <key_filename>
-
-
Update the
hcd.yaml
andcassandra.yaml
on all nodes in the cluster. -
Set up encryption for system resources, see Encrypting system resources.
-
Perform a rolling restart of all nodes in the cluster.