Encrypt system resources

Encrypt data in the system.batches and system.paxos tables, hint files, and commit logs using a local encryption key.

If tracing is enabled, the system_traces keyspace also contains sensitive data; encrypt tables in the system_traces keyspace following the instructions in Encrypting tables.

Prerequisites

Complete the key setup described in Setting up local encryption keys.

Use the hcd.yaml file to encrypt system resources

  1. Locate the hcd.yaml configuration file. The location of this file depends on the type of installation:

    • Package installations: /etc/hcd/hcd.yaml

    • Tarball installations: <installation_location>/resources/hcd/conf/hcd.yaml

  2. In the hcd.yaml file, configure encryption settings for system tables, the commit log, and the hint files.

    system_info_encryption:
      enabled: true
      cipher_algorithm: <cipher_name>
      secret_key_strength: <key_length>
      chunk_length_kb: <default_table_chunk_size>
    • Required. Set enabled to true.

    • Optional: Configure the type of encryption key to use:

      • cipher_algorithm: Set the name of a supported JCE cipher algorithm to use.

      • secret_key_strength: Specify the key length.

      • chunk_length_kb: Size of SSTables. The default 64 is used if the option is excluded. When these properties are set, HCD only uses a key that matches. If no matching key exists, start up fails.

  3. Perform a rolling restart of all nodes in the cluster.

  1. To encrypt existing data, run nodetool upgradesstables -a system batchlog paxos on all nodes in the cluster.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com