Encrypting configuration file properties

Protect LDAP passwords in the dse.yaml and SSL truststore passwords cassandra.yaml files.

Configure DSE to use a local encryption key to encrypt properties in the configuration file. Use passwords encrypted with the local key for the following properties:
  • dse.yaml LDAP values:
    ldap_options.search_password
    ldap_options.truststore_password
    Restriction: Use plain text for the KMIP keystore or truststore passwords.
  • cassandra.yaml SSL values:

    server_encryption_options.keystore_password
    server_encryption_options.truststore_password
    client_encryption_options.keystore_password 
    client_encryption_options.truststore_password 

cassandra.yaml

The location of the cassandra.yaml file depends on the type of installation:

Package installations
Installer-Services installations

/etc/dse/cassandra/cassandra.yaml

Tarball installations
Installer-No Services installations

installation_location/resources/cassandra/conf/cassandra.yaml

dse.yaml

The location of the dse.yaml file depends on the type of installation:

Package installations
Installer-Services installations

/etc/dse/dse.yaml

Tarball installations
Installer-No Services installations

installation_location/resources/dse/conf/dse.yaml

Prerequisites

Complete the key setup described in Setting up local encryption keys.
Note: When using a local encryption key file, set the location system_key_directory and ensure that the key file is owned by the account running DSE.

Procedure

  1. For each property, replace plain text passwords with encrypted passwords returned by running the dsetool encryptconfigvalue command:
    1. Encrypt the password:
      dsetool encryptconfigvalue
      Using system key system_key
      
      Enter value to encrypt:
      Enter again to confirm:
      
      Your encrypted value is:
      
      +Vj5oHCR/jqfA+OJE2m8zA==
    2. Replace the old value with the new value in the configuration file, for example the SSL truststore password in the cassandra.yaml:
      truststore_password: +Vj5oHCR/jqfA+OJE2m8zA==
      Warning: Once configuration file property encryption is enabled, DSE startup fails if any of the protected properties are not encrypted.
  2. In dse.yaml, enable configuration file property encryption:
    1. Set config_encryption_active to true.
      config_encryption_active: true
      When set to true, the configuration values must be encrypted or commented out.
    2. Set the local key encryption filename:
      config_encryption_key_name: key_filename
  3. Update the dse.yaml and cassandra.yaml on all nodes in the cluster.
  4. Optional: Set up encryption for system resources, see Encrypting system resources.
  5. Perform a rolling restart.