Rekeying existing data
Create a new local encryption key, change the table key filename, and re-encrypt the SSTables using the new key.
Create a new local encryption key, change the table key filename, and re-encrypt the SSTables using the new key. When changing the system key, all existing data must be re-encrypted before removing the old key.
dse.yaml
The location of the dse.yaml file depends on the type of installation:Package installations | /etc/dse/dse.yaml |
Tarball installations | installation_location/resources/dse/conf/dse.yaml |
Prerequisites
- DataStax Enterprise node administrator or superuser account with read/write/modify permission on DSE resources and configuration directories.
- If DSE database authentication and authorization is enabled, a database account with ALTER TABLE permission on the encrypted tables.
Procedure
- Back up SSTables.
-
Create a new local encryption key and distribute to nodes in the cluster:
-
Change the key filename in the table schemas:
-
Use to rewrite the encrypted SSTables
using the new key. Run the following command on every node in the cluster:
- Target only specific
tables:
nodetool upgradesstables --include-all-sstables keyspace_name table_name [table_name …]
- Target specific
keyspace:
nodetool upgradesstables --include-all-sstables keyspace_name
- All keyspaces and
tables:
nodetool upgradesstables --include-all-sstables
- Target only specific
tables:
-
After completing the above steps, remove the old key and ensure that the old
key is not used for any tables or configuration file property encryption.
Note: The old key is required to access the backed up SSTables created in the first step.