Encrypting Search indexes

DSE Search index encryption shares the setup with SSTable encryption.

DSE Search uses transparent data encryption (TDE) to encrypt data, including DSE Search index files and the DSE Search commit log. Cached data is not encrypted. DSE Search index encryption shares the setup with SSTable encryption, including secret key management and cipher creation.

DSE Search encryption is on when:
  • The backing database table is also encrypted. The backing CQL table for a search core contains the system key (secret key). This backing CQL table must be encrypted to enable encryption of search indexes. Every new index file is created with the latest encryption setup of the backing database table.
  • The Search index config class for directoryFactory is solr.EncryptedFSDirectoryFactory.
Table encryption can be dynamically enabled, changed, and disabled without restarting a DataStax Enterprise node. The index encryption setup changes with the table.

All encrypted files have a header that contains the required information to reconstruct cipher transformation that is used for the file.

Note: Encryption with DSE Search introduces a slight performance overhead.