Encrypt system resources
Encrypt data in the system.batches and system.paxos tables, hint files, and commit logs using a local encryption key.
If tracing is enabled, the system_traces keyspace also contains sensitive data.
Encrypt tables in the system_traces keyspace as explained in Encrypt tables.
-
Complete the key setup described in Setting up local encryption keys.
When using a local encryption key file, set the location in
system_key_directory, and ensure that the key file is owned by the account running DSE. -
Locate the
dse.yamlconfiguration file. The location of this file depends on the type of installation:-
Package installations:
/etc/dse/dse.yaml -
Tarball installations:
<installation_location>/resources/dse/conf/dse.yaml
-
-
In the
dse.yamlfile, configure encryption settings for system tables, thecommitlog, and thehintfiles.system_info_encryption: enabled: true cipher_algorithm: <cipher_name> secret_key_strength: <key_length> chunk_length_kb: <default_table_chunk_size>-
Set
enabledto true. -
Optionally, you can configure the type of encryption key to use:
-
cipher_algorithm: Set the name of a supported JCE cipher algorithm to use. For a list of support algorithms, seecipher_algorithm -
secret_key_strength: Specify the key length. -
chunk_length_kb: Size of SSTables. The default64is used if the option is excluded. When these properties are set, DataStax Enterprise (DSE) only uses a key that matches. If no matching key exists, start up fails.
-
-
-
To encrypt existing data, run the following
nodetool upgradesstablescommand on all nodes in the cluster:nodetool upgradesstables -a system batchlog paxos
