The password for the keystore and truststore in Cassandra yaml file is saved in clear text. What is the best approach to eliminate the password from the file or encrypt it? We can't save the password in a file.
Below is an excerpt of documentation:
server_encryption_options: Enable or disable inter-node encryption. You must also generate keys and provide the appropriate key and trust store locations and passwords. No custom encryption options are currently enabled.
The available options are:
internode_encryption: (Default: none) Enable or disable encryption of inter-node communication using the TLS_RSA_WITH_AES_128_CBC_SHA cipher suite for authentication, key exchange, and encryption of data transfers. The available inter-node options are:
all: Encrypt all inter-node communications.
none: No encryption.
dc: Encrypt the traffic between the data centers (server only).
rack: Encrypt the traffic between the racks(server only).
keystore: (Default: conf/.keystore) The location of a Java keystore (JKS) suitable for use with Java Secure Socket Extension (JSSE), which is the Java version of the Secure Sockets Layer (SSL), and Transport Layer Security (TLS) protocols. The keystore contains the private key used to encrypt outgoing messages.
keystore_password: (Default: cassandra) Password for the keystore.
truststore: (Default: conf/.truststore) Location of the truststore
containing the trusted certificate for authenticating remote servers.
truststore_password: (Default: cassandra) Password for the truststore.The passwords used in these options must match the passwords used when generating the keystore and truststore. For instructions on generating these files, see Creating a Keystore to Use with JSSE.
The advanced settings are: protocol: (Default: TLS)
algorithm: (Default: SunX509)
store_type: (Default: JKS)
cipher_suites: (Default: TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA)
require_client_auth: (Default: false) Enables or disables certificate authentication.
