Configuring local encryption

Use locally stored symmetric encryption keys to protect sensitive system resources, configuration file properties and/or database tables.

Use locally-stored symmetric encryption keys to protect the following assets:


The location of the dse.yaml file depends on the type of installation:

Package installations
Installer-Services installations


Tarball installations
Installer-No Services installations


Local encryption guidelines

When you encrypt tables, hint files, commit logs, and configuration properties using a local key:

  • Create any number of local encryption keys using the dsetool createsystemkey command.
    • Tables can use different encryption keys.

      DataStax Enterprise (DSE) creates a unique key for each combination of cipher algorithm, key strength, and external local encryption key used in a table definition, and stores it in the dse_system.encrypted_keys table. The local encryption key file is used to encrypt/decrypt the table key.

    • Configuration properties use the same key file that is defined by the config_encryption_key_name property.
    • All system resources use the same key file. (The file is not selectable.)
  • Distribute all local encryption key files cluster-wide. Put keys on all nodes in the same folder and define the location in the system_key_directory property of the dse.yaml.
  • Ensure that the DSE account owns the system_key_directory and has read/write permission.