Setting up local encryption keys

Create local key files and set the file name to use for table and configuration file properties.

1. To ensure support for all encryption algorithms, install JCE.
2. Configure the filename and the location of the encryption key in the dse.yaml file:
   1. Set system_key_directory property to the path where you want to store the encryption keys.

      system_key_directory: /etc/dse/conf

   2. Change the directory owner to the DSE account and ensure that the DSE account has read/write permissions.
   3. Set the config_encryption_key_name to the key_name. The default name is system_key.

      config_encryption_key_name: system_key

3. Go to the system_key_directory and then create an encryption key using the dsetool createsystemkey command:
   For example:

   dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 key_name

   Where key_name is the filename. If no filename is specified, the key file is named system_key. DSE supports the following JCE cipher algorithms and corresponding length:

   cipher_algorithm[/mode/padding]

   DSE supports the following JCE cipher algorithms and corresponding length:

   • AES/CBC/PKCS5Padding (valid with length 128, 192, or 256).
   • AES/ECB/PKCS5Padding (valid with length 128, 192, or 256)
   • DES/CBC/PKCS5Padding (valid with length 56)
   • DESede/CBC/PKCS5Padding (valid with length 112 or 168)
   • Blowfish/CBC/PKCS5Padding (valid with length 32-448)
   • RC2/CBC/PKCS5Padding (valid with length 40-128)

   Default value: AES/CBC/PKCS5Padding (with length 128)

   Note: Encryption key files can have any valid Unix name.

   Important: If config_encryption_active is set to true in dse.yaml, a warning is generated, but the system key is still successfully generated.
4. Copy the key file to all other nodes in the cluster and update the system_key_directory and system_key_directory in the dse.yaml.
   Note: dsetool reads current values from the dse.yaml. A restart is NOT required to continue setting up encryption.