Encrypting new DSE Search indexes

Steps to encrypting new DSE Search index files.

You can enable encryption for new Solr cores when you create them.

Prerequisites

When using TDE secure local file system. Encryption keys are stored remotely with KMIP encryption or locally with on-server encryption.

Procedure

Encryption is enabled per core.

To enable encryption for a new core, edit the solrconfig.xml file to change the class for directoryFactory to solr.EncryptedFSDirectoryFactory.
  • Recommended: Use the dsetool create_core command with automatic resource generation. Specify the class for directoryFactory to solr.EncryptedFSDirectoryFactory with the handy coreOptionsInline argument:
    dsetool create_core keyspace.table generateResources=true coreOptionsInline="directory_factory_class:solr.EncryptedFSDirectoryFactory"
  • You can also use the dsetool create_core command this way:
    dsetool create_core keyspace.table schema=schema.xml solrconfig=solrconfig.xml
    where the solrconfig.xml file specifies the required directoryFactory:
    <directoryFactory name="DirectoryFactory" class="solr.EncryptedFSDirectoryFactory"/>
    See Using custom resources.
After you create an encrypted Solr core, a node restart is not required.

What's next

To disable encryption, disable encryption for the backing CQL table. No node restart is required.