Encrypt system resources
Encrypt data in the system.batches
and system.paxos
tables, hint
files, and commit
logs using a local encryption key.
If tracing is enabled, the system_traces keyspace also contains sensitive data; encrypt tables in the system_traces keyspace following the instructions in Encrypting tables. |
Prerequisites
Complete the key setup described in Setting up local encryption keys.
Use the hcd.yaml
file to encrypt system resources
-
Locate the
hcd.yaml
configuration file. The location of this file depends on your installation type.-
Package installations
-
Tarball installations
/etc/hcd/hcd.yaml
INSTALLATION_LOCATION/resources/hcd/conf/hcd.yaml
Replace INSTALLATION_LOCATION with the path where you extracted the HCD tarball.
-
-
In the
hcd.yaml
file, configure encryption settings for system tables, thecommit
log, and thehint
files.system_info_encryption: enabled: true cipher_algorithm: <cipher_name> secret_key_strength: <key_length> chunk_length_kb: <default_table_chunk_size>
-
Required. Set
enabled
totrue
. -
Optional: Configure the type of encryption key to use:
-
cipher_algorithm
: Set the name of a supported JCE cipher algorithm to use. For a list of support algorithms, seecipher_algorithm
-
secret_key_strength
: Specify the key length. -
chunk_length_kb
: Size of SSTables. The default64
is used if the option is excluded. When these properties are set, HCD only uses a key that matches. If no matching key exists, start up fails.
-
-
-
Perform a rolling restart of all nodes in the cluster.
-
To encrypt existing data, run
nodetool upgradesstables -a system batchlog paxos
on all nodes in the cluster.