Configuring local encryption

Use locally stored symmetric encryption keys to protect sensitive system resources, configuration file properties, search indexes, and/or database tables.

Use locally-stored symmetric encryption keys to protect the following assets:

Local encryption guidelines

When you encrypt tables, hint files, commit logs, and configuration properties using a local key:

  • Create any number of local encryption keys using the dsetool createsystemkey command.
    • Tables can use different encryption keys.

      DataStax Enterprise creates a unique key for each combination of cipher algorithm, key strength, and external local encryption key used in a table definition and stores it in the dse_system.encrypted_keys table. The local encryption key file is used to encrypt/decrypt the table key.

    • Configuration properties use the same key file that is defined by the property.
    • All system resources use the same key file. (The file is not selectable.)
  • Distribute all local encryption key files cluster-wide. Put keys on all nodes in the same folder and define the location in the system_key_directory property in dse.yaml.
  • Ensure that the DataStax Enterprise account owns the system_key_directory and has read/write permission.
Note: To change an encryption key, see Rekeying existing data.