Set up local encryption keys for production environments
The location of the hcd.yaml
file depends on the type of installation:
-
Package installations:
/etc/hcd/hcd.yaml
-
Tarball installations:
<installation_location>/resources/dse/conf/hcd.yaml
Prerequisites
To ensure support for all encryption algorithms, enable JCE
.
Starting in |
Procedure
-
If the directory does not exist, create the
/conf
directory based on your HCD installation type:-
Package installation:
/etc/hcd/conf
-
Tarball installation:
<installation_location>/resources/dse/conf
-
-
Configure the file name and the location of the encryption key in the
hcd.yaml
file:-
Set
system_key_directory
property to the path where you want to store the encryption keys.system_key_directory: /etc/hcd/conf
-
Change the directory owner to the HCD account and ensure that the HCD account has read/write permissions.
-
Set the
config_encryption_key_name
to the <key_name>. The default name issystem_key
.config_encryption_key_name: system_key
Encryption key files can have any valid Unix name.
-
-
Go to the directory specified by the
system_key_directory
property in yourhcd.yaml
file:For example:
cd /etc/hcd/conf
-
Create an encryption key using the
nodetool createsystemkey
command:nodetool createsystemkey 'AES/ECB/PKCS5Padding' 128 KEY_NAME
Replace KEY_NAME with the name of the key file to create. You can use any valid Unix name for encryption key files. If you don’t specify a name, the system creates the key file as
system_key
.If you set
config_encryption_active
totrue
in thehcd.yaml
file, the system generates a warning, but the system key still successfully generates.HCD supports the following
JCE
cipher algorithms and correspondinglength
:-
cipher_algorithm[/mode/padding]
HCD supports the following
JCE
cipher algorithms:-
AES/CBC/PKCS5Padding (valid with length 128)
-
AES/ECB/PKCS5Padding (valid with length 128)
Only AES algorithms with 128-bit key strength are supported in HCD 1.2.
-
-
-
Copy the key file to all other nodes in the cluster. Put keys on all nodes in the same directory.
-
Update the
system_key_directory
andconfig_encryption_key_name
in thehcd.yaml
file.nodetool
reads current values from thehcd.yaml
. A restart is not required to continue setting up encryption. -
Ensure that the DSE account owns the key files and has read/write access on them. If necessary, change the ownership of the file to the DSE user.
chown cassandra /etc/hcd/conf/system_key