Encrypting new DSE Search indexes

Steps to encrypting new DSE Search index files.

You can enable encryption for new Solr cores when you create them.


TDE requires a secure local file system to be effective. Encryption certificates are stored off-server with KMIP encryption or locally with on-server encryption.


Encryption is enabled per core.

To enable encryption for a new core, edit the solrconfig.xml file to change the class for directoryFactory to solr.EncryptedFSDirectoryFactory.
  • Recommended: Use the dsetool create_core command with automatic resource generation. Specify the class for directoryFactory to solr.EncryptedFSDirectoryFactory with the handy coreOptionsInline argument:
    $ dsetool create_core keyspace.table generateResources=true coreOptionsInline="directory_factory_class:solr.EncryptedFSDirectoryFactory"
  • You can also use the dsetool create_core command this way:
    $ dsetool create_core keyspace.table schema=schema.xml solrconfig=solrconfig.xml
    where the solrconfig.xml file specifies the required directoryFactory:
    <directoryFactory name="DirectoryFactory" class="solr.EncryptedFSDirectoryFactory"/>
    See Using custom resources.
After you create an encrypted Solr core, a node restart is not required.

What's next

To disable encryption, disable encryption for the backing CQL table. No node restart is required.