Encrypt system resources

Encrypt data in the system.batches and system.paxos tables, hint files, and commit logs using a local encryption key.

If tracing is enabled, the system_traces keyspace also contains sensitive data; encrypt tables in the system_traces keyspace following the instructions in Encrypting tables.

Prerequisites

Complete the key setup described in Setting up local encryption keys.

Use the `hcd.yaml` file to encrypt system resources

Locate the hcd.yaml configuration file. The location of this file depends on the type of installation:
- Package installations: /etc/hcd/hcd.yaml
- Tarball installations: <installation_location>/resources/hcd/conf/hcd.yaml
In the hcd.yaml file, configure encryption settings for system tables, the commit log, and the hint files.
```
system_info_encryption:
  enabled: true
  cipher_algorithm: <cipher_name>
  secret_key_strength: <key_length>
  chunk_length_kb: <default_table_chunk_size>
```
- Required. Set enabled to true.
- Optional: Configure the type of encryption key to use:
  - cipher_algorithm: Set the name of a supported JCE cipher algorithm to use.
  - secret_key_strength: Specify the key length.
  - chunk_length_kb: Size of SSTables. The default 64 is used if the option is excluded. When these properties are set, HCD only uses a key that matches. If no matching key exists, start up fails.
Perform a rolling restart of all nodes in the cluster.

To encrypt existing data, run nodetool upgradesstables -a system batchlog paxos on all nodes in the cluster.

Encrypt system resources

Prerequisites

Use the `hcd.yaml` file to encrypt system resources

Was this helpful?

Give Feedback

Encrypt system resources

Prerequisites

Use the hcd.yaml file to encrypt system resources

Was this helpful?

Use the `hcd.yaml` file to encrypt system resources