Setting up local encryption keys
Create local key files and set the file name to use for table and configuration file properties.
Create a local encryption key file, distribute it to the same location on all nodes
in the cluster, and update the dse.yaml
system_key_directory and config_encryption_key_name properties.
Note: To change
an encryption key, see Rekeying existing data.
dse.yaml
The location of the dse.yaml file depends on the type of installation:
Package installations |
/etc/dse/dse.yaml |
Tarball installations |
installation_location/resources/dse/conf/dse.yaml |
Prerequisites
Procedure
-
If the directory does not exist, create the /conf
directory based on your DataStax Enterprise (DSE) installation type:
- Package
installation
/etc/dse/conf
- Tarball
installation
installation_location/resources/dse/conf
- Package
installation
-
Configure the file name and the location of the encryption key in the
dse.yaml file:
-
Go to the system_key_directory and then create
an encryption key using the dsetool
createsystemkey command:
For example:
cd /etc/dse/conf
dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 key_name
Where key_name is the name of the key file to create. If no file name is specified, the key file is named system_key. DSE supports the following JCE cipher algorithms and correspondinglength
:- cipher_algorithm[/mode/padding]
- DSE supports the following JCE cipher algorithms and corresponding length:
- AES/CBC/PKCS5Padding (valid with length 128, 192, or 256).
- AES/ECB/PKCS5Padding (valid with length 128, 192, or 256)
- DES/CBC/PKCS5Padding (valid with length 56)
- DESede/CBC/PKCS5Padding (valid with length 112 or 168)
- Blowfish/CBC/PKCS5Padding (valid with length 32-448)
- RC2/CBC/PKCS5Padding (valid with length 40-128)
Default:
AES/CBC/PKCS5Padding
(with length 128).
Note: Encryption key files can have any valid Unix name.Important: If config_encryption_active is set to true in dse.yaml, a warning is generated, but the system key is still successfully generated. -
Copy the key file to all other nodes in the cluster and update the system_key_directory and config_encryption_key_name in
dse.yaml.
Note:
dsetool
reads current values fromdse.yaml
. A restart is not required to continue configuring encryption. -
Ensure that the DSE account owns the key files and has read/write access on
them. If necessary, change the ownership of the file to the DSE user.
chown cassandra /etc/dse/conf/system_key