Creating a system key to encrypt sensitive configuration values

About this task

Follow these instructions to create the system key that enables automatically or manually encrypting sensitive configuration values such as passwords. Copy the system key to the agent for each node. Optionally, configure a custom name for the opsc_system_key or a path to the key when placed in a non-default location. When adjusting configuration files for an existing cluster, manually encrypt the configuration values.


The location of the address.yaml file depends on the type of installation:

  • Package installations: /var/lib/datastax-agent/conf/address.yaml

  • Tarball installations: install_location/conf/address.yaml


The location of the opscenterd.conf file depends on the type of installation:

  • Package installations: /etc/opscenter/opscenterd.conf

  • Tarball installations: install_location/conf/opscenterd.conf


  • If using 256-bit encryption key strength, upgrade the JRE with enhanced security jar files. Download and install the Java Cryptography Extension (JCE), unzip the jar files, and place them under $JAVA_HOME/jre/lib/security.


  1. In your opscenterd directory, run the system tool to create the key with the desired mode and key strength:

    bin/opscenter_system_key_tool create ECB 128

    By default, the system key is named opsc_system_key and is located in the same directory as your opscenterd.conf.

    The name of the system key and the path to the encryption key are configurable in both opscenterd.conf and address.yaml. The options in address.yaml take precedence.

    # Specifies whether opscenter should attempt to decrypt sensitive config values
    config_encryption_active = True
    # Name of the system key used to encrypt/decrypt stored passwords.
    config_encryption_key_name = opsc_system_key
    # Path to the encryption key. If left blank, the directory of opscenterd.conf will be used
    config_encryption_key_path =

    The only fields in address.yaml you might need to enter are config_encryption_key_name and config_encryption_key_path if you are placing the keys in a location that is not standard on the agents.

  2. Manually copy the system key file to the agent for each node. The key file must reside in the same directory as the address.yaml for the agent.

    cp local/opsc_system_key ../agent/local
  3. Stop OpsCenter and stop the agents.

  4. Restart OpsCenter and the agents.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000,