Setting up local encryption keys

Create local key files and set the file name to use for table and configuration file properties.

Create a local encryption key file, distribute it to the same location on all nodes in the cluster, and update the dse.yaml system_key_directory and config_encryption_key_name properties.
Note: To change an encryption key, see Rekeying existing data.


The location of the dse.yaml file depends on the type of installation:

Package installations
Installer-Services installations


Tarball installations
Installer-No Services installations



To ensure support for all encryption algorithms, enable JCE Unlimited.


  1. If the directory does not exist, create the /conf directory based on your DataStax Enterprise (DSE) installation type:
    • Package installation
    • Tarball installation
  2. Configure the file name and the location of the encryption key in the dse.yaml file:
    1. Set system_key_directory property to the path where you want to store the encryption keys.
      system_key_directory: /etc/dse/conf
    2. Change the directory owner to the DSE account and ensure that the DSE account has read/write permissions.
    3. Set the config_encryption_key_name to the key_name. The default name is system_key.
      config_encryption_key_name: system_key
  3. Go to the system_key_directory and then create an encryption key using the dsetool createsystemkey command:
    For example:
    cd /etc/dse/conf
    dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 key_name
    Where key_name is the name of the key file to create. If no file name is specified, the key file is named system_key. DSE supports the following JCE cipher algorithms and corresponding length:
    DSE supports the following JCE cipher algorithms and corresponding length:
    • AES/CBC/PKCS5Padding (valid with length 128, 192, or 256).
    • AES/ECB/PKCS5Padding (valid with length 128, 192, or 256)
    • DES/CBC/PKCS5Padding (valid with length 56)
    • DESede/CBC/PKCS5Padding (valid with length 112 or 168)
    • Blowfish/CBC/PKCS5Padding (valid with length 32-448)
    • RC2/CBC/PKCS5Padding (valid with length 40-128)

    Default: AES/CBC/PKCS5Padding (with length 128).

    Note: Encryption key files can have any valid Unix name.
    Important: If config_encryption_active is set to true in dse.yaml, a warning is generated, but the system key is still successfully generated.
  4. Copy the key file to all other nodes in the cluster and update the system_key_directory and config_encryption_key_name in dse.yaml.
    Note: dsetool reads current values from dse.yaml. A restart is not required to continue configuring encryption.
  5. Ensure that the DSE account owns the key files and has read/write access on them. If necessary, change the ownership of the file to the DSE user.
    chown cassandra /etc/dse/conf/system_key