Encrypting configuration file properties
Configure DSE to use a local encryption key to encrypt properties in the configuration file. Use passwords encrypted with the local key for the following properties:
-
dse.yaml LDAP values:
ldap_options.search_password ldap_options.truststore_password
Restriction: Use plain text for the KMIP keystore or truststore passwords.
-
cassandra.yaml SSL values:
server_encryption_options.keystore_password server_encryption_options.truststore_password client_encryption_options.keystore_password client_encryption_options.truststore_password
Prerequisites
Complete the key setup described in Setting up local encryption keys.
When using a local encryption key file, set the location |
Procedure
-
For each property, replace plain text passwords with encrypted passwords returned by running the dsetool encryptconfigvalue command:
-
Encrypt the password:
dsetool encryptconfigvalue
Using system key system_key Enter value to encrypt: Enter again to confirm: Your encrypted value is: +Vj5oHCR/jqfA+OJE2m8zA==
-
Replace the old value with the new value in the configuration file, for example the SSL truststore password in the cassandra.yaml:
truststore_password: +Vj5oHCR/jqfA+OJE2m8zA==
Once configuration file property encryption is enabled, DSE startup fails if any of the protected properties are not encrypted.
-
-
In dse.yaml, enable configuration file property encryption:
-
Set
config_encryption_active
to true.config_encryption_active: true
When set to true, the configuration values must be encrypted or commented out.
-
Set the local key encryption filename:
config_encryption_key_name: <key_filename>
-
-
Update the dse.yaml and cassandra.yaml on all nodes in the cluster.
-
Set up encryption for system resources, see Encrypting system resources.