Set up local encryption keys for production environments

After installing HCD, create a local encryption key file, distribute it to the same location on all nodes in the cluster, and update the cassandra.yaml system_key_directory property.

The location of the cassandra.yaml file depends on your installation type.

  • Package installations

  • Tarball installations

/etc/hcd/cassandra/cassandra.yaml
INSTALLATION_LOCATION/resources/cassandra/conf/cassandra.yaml

Replace INSTALLATION_LOCATION with the path where you extracted the HCD tarball.

Prerequisites

To ensure support for all encryption algorithms, enable JCE.

Starting in JDK 8u161, JCE Unlimited is enabled by default. Refer to the Release Notes for JDK 8u161.

Procedure

  1. If the directory does not exist, create the /conf directory based on your HCD installation type:

    • Package installations

    • Tarball installations

    /etc/hcd/conf
    INSTALLATION_LOCATION/resources/hcd/conf

    Replace INSTALLATION_LOCATION with the installation location.

  2. Generate the encryption key file:

    include::ROOT:partial$write access on them. If necessary, change the ownership of the file to the HCD user.

    chown cassandra /etc/hcd/conf/system_key

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax, an IBM Company | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com