Encrypting configuration file properties
Configure DSE to use a local encryption key to encrypt properties in the configuration file. Use passwords encrypted with the local key for the following properties:
-
dse.yamlLDAP values:ldap_options.search_password ldap_options.truststore_passwordUse plain text for the KMIP keystore or truststore passwords.
-
cassandra.yamlSSL values:server_encryption_options.keystore_password server_encryption_options.truststore_password client_encryption_options.keystore_password client_encryption_options.truststore_password-
Complete the steps in Adding a KMIP host.
If any of the defined KMIP groups are not available, DSE startup fails.
-
For each property, replace plain text passwords with encrypted passwords returned by running the dsetool encryptconfigvalue command:
-
Encrypt the password:
dsetool encryptconfigvalueUsing system key system_key Enter value to encrypt: Enter again to confirm: Your encrypted value is: +Vj5oHCR/jqfA+OJE2m8zA== -
Replace the old value with the new value in the configuration file, for example the SSL truststore password in the cassandra.yaml:
truststore_password: +Vj5oHCR/jqfA+OJE2m8zA==Once configuration file property encryption is enabled, DSE startup fails if any of the protected properties are not encrypted.
-
-
In dse.yaml, enable configuration file property encryption:
-
Set
config_encryption_activeto true.config_encryption_active: trueWhen set to true, the configuration values must be encrypted or commented out.
-
Set the local key encryption filename:
config_encryption_key_name: <key_filename>
-
-
Update the dse.yaml and cassandra.yaml on all nodes in the cluster.
-
Set up encryption for system resources, see Encrypting system resources.
-
