Encrypting new Search indexes

Steps to encrypting new DSE Search index files.

You can enable encryption for new search cores when you create them.

clients directory

The default location of the clients directory depends on the type of installation:
Package installations /usr/share/dse/clients
Tarball installations installation_location/clients

solrj-auth-README.md

The default location of the solrj-auth-README.md file depends on the type of installation:
Package installations /usr/share/dse/solr
Tarball installations installation_location/resources/solr

Using SolrJ Auth to implement encryption

To use the SolrJ-Auth libraries to implement encryption, follow instructions in the solrj-auth-README.md file.

These SolrJ-Auth libraries are included in the clients directory in DataStax Enterprise distribution. The SolrJ-Auth code is public.

Prerequisites

When using TDE secure local file system. Encryption keys are stored remotely with KMIP encryption or locally with on-server encryption.

Procedure

Encryption is enabled per core.

To enable encryption for a new core, edit the search index config file to change the class for directoryFactory to solr.EncryptedFSDirectoryFactory.
  • Recommended: Use the dsetool dsetool create_core command with automatic resource generation. Specify the class for directoryFactory to solr.EncryptedFSDirectoryFactory with the handy coreOptionsInline argument:
    dsetool create_core keyspace_name.table_name generateResources=true coreOptionsInline="directory_factory_class:solr.EncryptedFSDirectoryFactory"
  • You can also use the dsetool dsetool create_core command this way:
    dsetool create_core keyspace_name.table_name schema=schema.xml solrconfig=solrconfig.xml
    where the solrconfig.xml file specifies the required directoryFactory:
    <directoryFactory name="DirectoryFactory" class="solr.EncryptedFSDirectoryFactory"/>
    The generateResources=true option generates resources only if resources do not exist in the solr_resources table.
After you create an encrypted search core, a node restart is not required.

What's next

To disable encryption, disable encryption for the backing CQL table. No node restart is required.