Encrypt system resources
Encrypt data in the system.batches and system.paxos tables, hint files, and commit logs using a local encryption key.
|
If tracing is enabled, the system_traces keyspace also contains sensitive data; encrypt tables in the system_traces keyspace following the instructions in Encrypting tables. |
Prerequisites
Complete the key setup described in Setting up local encryption keys.
Use the hcd.yaml file to encrypt system resources
-
Locate the
hcd.yamlconfiguration file. The location of this file depends on your installation type.-
Package installations
-
Tarball installations
/etc/hcd/hcd.yamlINSTALLATION_LOCATION/resources/hcd/conf/hcd.yamlReplace INSTALLATION_LOCATION with the path where you extracted the HCD tarball.
-
-
In the
hcd.yamlfile, configure encryption settings for system tables, thecommitlog, and thehintfiles.system_info_encryption: enabled: true cipher_algorithm: <cipher_name> secret_key_strength: <key_length> chunk_length_kb: <default_table_chunk_size>-
Required. Set
enabledtotrue. -
Optional: Configure the type of encryption key to use:
-
cipher_algorithm: Set the name of a supported JCE cipher algorithm to use. For a list of support algorithms, seecipher_algorithm -
secret_key_strength: Specify the key length. -
chunk_length_kb: Size of SSTables. The default64is used if the option is excluded. When these properties are set, HCD only uses a key that matches. If no matching key exists, start up fails.
-
-
-
Perform a rolling restart of all nodes in the cluster.
-
To encrypt existing data, run
nodetool upgradesstables -a system batchlog paxoson all nodes in the cluster.
