Set up local encryption keys for production environments

After installing HCD, create a local encryption key file, distribute it to the same location on all nodes in the cluster, and update the cassandra.yaml system_key_directory property.

The location of the cassandra.yaml file depends on your installation type.

  • Package installations: /etc/hcd/cassandra/cassandra.yaml

  • Tarball installations: INSTALLATION_LOCATION/resources/cassandra/conf/cassandra.yaml

Prerequisites

To ensure support for all encryption algorithms, enable JCE.

Starting in JDK 8u161, JCE Unlimited is enabled by default. Refer to the Release Notes for JDK 8u161.

Procedure

  1. If the directory does not exist, create the /conf directory for your HCD installation type:

    • Package installations

      /etc/hcd/conf

    • Tarball installations

      INSTALLATION_LOCATION/resources/hcd/conf

      Replace INSTALLATION_LOCATION with the installation location.

  2. Generate the encryption key file:

    echo -n "$(openssl rand -hex 32)" > /etc/hcd/conf/system_key

  3. Ensure that the HCD user has read and write access on the file. If necessary, change the ownership of the file to the HCD user.

    chown cassandra /etc/hcd/conf/system_key

Was this helpful?

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2026 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM