Configuring local encryption
Use locally stored symmetric encryption keys to protect sensitive system resources, configuration file properties, search indexes, and/or database tables.
- Configuration file property values: LDAP search, LDAP truststore, and SSL truststore passwords.
- Sensitive system resources: System batchlog and paxos tables, hint files, and commit logs.
- Table data: Any table.
- Search indexes: All search indexes.
Local encryption guidelines
When you encrypt tables, hint files, commit logs, and configuration properties using a local key:
- Create any number of local encryption keys using the dsetool createsystemkey command.
- Tables can use different encryption keys.
DataStax Enterprise creates a unique key for each combination of cipher algorithm, key strength, and external local encryption key used in a table definition and stores it in the
dse_system.encrypted_keys
table. The local encryption key file is used to encrypt/decrypt the table key. - Configuration properties use the same key file that is defined by the property.
- All system resources use the same key file. (The file is not selectable.)
- Tables can use different encryption keys.
- Distribute all local encryption key files cluster-wide. Put keys on all nodes in the same folder and define the location in the system_key_directory property in dse.yaml.
- Ensure that the DataStax Enterprise account owns the system_key_directory and has read/write permission.