Encrypting Search Indexes

DSE Search uses transparent data encryption (TDE) to encrypt data, including DSE Search index files and the DSE Search commit log. Cached data is not encrypted. DSE Search index encryption shares the setup with SSTable encryption, including secret key management and cipher creation.

DSE Search encryption is on when:

  • The backing database table is also encrypted. The backing CQL table for a search core contains the system key (secret key). This backing CQL table must be encrypted to enable encryption of DSE Search indexes. Every new index file is created with the latest encryption setup of the backing database table.

  • The Search index config class for directoryFactory is solr.EncryptedFSDirectoryFactory.

Table encryption can be dynamically enabled, changed, and disabled without restarting a DataStax Enterprise (DSE) node. The index encryption setup changes with the table.

All encrypted files have a header that contains the required information to reconstruct cipher transformation that is used for the file.

Encryption with DSE Search introduces a slight performance overhead.

For related information about Storage-Attached Indexing (SAI), see the following:

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax, an IBM Company | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com