Setting up local encryption keys
Create local key files and set the file name to use for table and configuration file properties.
Use dsetool createsystemkey to generate local encryption/decryption key files.
Setting up local encryption keys for production environments
After installing DSE, create local encryption/decryption key files in production environments.
dse.yaml
The location of the dse.yaml file depends on the type of installation:Package installations | /etc/dse/dse.yaml |
Tarball installations | installation_location/resources/dse/conf/dse.yaml |
Prerequisites
Procedure
-
If the directory does not exist, create the /conf
directory based on your DataStax Enterprise (DSE) installation type:
- Package
installation
/etc/dse/conf
- Tarball
installation
installation_location/resources/dse/conf
- Package
installation
-
Configure the file name and the location of the encryption key in the
dse.yaml file:
-
Go to the and then create
an encryption key using the dsetool
createsystemkey command:
For example:
cd /etc/dse/conf
dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 key_name
Where key_name is the name of the key file to create. If no file name is specified, the key file is named system_key.Note: Encryption key files can have any valid Unix name.DSE supports the following JCE cipher algorithms and corresponding
length
:- cipher_algorithm[/mode/padding]
- DSE supports the following JCE cipher algorithms:
- AES/CBC/PKCS5Padding (valid with length 128, 192, or 256).
- AES/ECB/PKCS5Padding (valid with length 128, 192, or 256)
- DES/CBC/PKCS5Padding (valid with length 56)
- DESede/CBC/PKCS5Padding (valid with length 112 or 168)
- Blowfish/CBC/PKCS5Padding (valid with length 32-448)
- RC2/CBC/PKCS5Padding (valid with length 40-128)
AES/CBC/PKCS5Padding
(with length 128).
Important: If config_encryption_active is set to true in dse.yaml, a warning is generated, but the system key is still successfully generated. - Copy the key file to all other nodes in the cluster. Put keys on all nodes in the same directory.
-
Update the and in
dse.yaml.
Note:
dsetool
reads current values from thedse.yaml
. A restart is not required to continue setting up encryption. -
Ensure that the DSE account owns the key files and has read/write access on
them. If necessary, change the ownership of the file to the DSE user.
chown cassandra /etc/dse/conf/system_key
Setting up local encryption keys to embed in installation package for development environments
Create local encryption/decryption keys that you can embed in a distribution package for development environments.
You can create a local encryption/decryption key file that can be embedded in a distribution (tarball). In development environments, this distribution package can then be used by other users. This strategy is especially helpful when using scripts with IT automation tools such as Ansible.
dse.yaml
The location of the dse.yaml file depends on the type of installation:Package installations | /etc/dse/dse.yaml |
Tarball installations | installation_location/resources/dse/conf/dse.yaml |
Procedure
-
Specify the key file output directory when you create the encryption key with
the dsetool createsystemkey
command:
For example:
dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 -d /home/jane/keys
Result: A key file /home/jane/keys/system_key is created. - In the distribution tarball, create a directory for the system key file. Use the default location (/etc/dse/conf) or add a new location.
- If you used a new location, update the system_key_directory property in dse.yaml as appropriate.