Encrypting system resources
Protect sensitive data in the system keyspace, hint files, and commit logs.
Encrypt data in the system.batches
and
system.paxos
tables, hint files, and commit logs using a local
encryption key.
Note: If tracing is enabled, the system_traces keyspace also contains sensitive data;
encrypt tables in the system_traces keyspace following the instructions in Encrypting tables.
dse.yaml
The location of the dse.yaml file depends on the type of installation:Package installations | /etc/dse/dse.yaml |
Tarball installations | installation_location/resources/dse/conf/dse.yaml |
Prerequisites
Note: When using a local encryption key file, set the
location and ensure that the key
file is owned by the account running DSE.
Procedure
-
In the dse.yaml file, configure encryption
settings for system tables, the commit log, and the hints files.
system_info_encryption: enabled: true cipher_algorithm: cipher_name secret_key_strength: key_length chunk_length_kb: default_table_chunk_size
- Required. Set
enabled
to true. - Optional. Configure the type of encryption key to use:
cipher_algorithm
: Set the name of a supported JCE cipher algorithm to use. For a list of support algorithms, seesecret_key_strength
: Specify the key length.chunk_length_kb
: Size of SSTables. The default (64) is used if the option is excluded.
- Required. Set
- Perform a rolling restart of DSE.
-
To encrypt
existing data, run
-a system batchlog paxos
on all nodes in the cluster.