Encrypting Search Indexes
DSE Search uses transparent data encryption (TDE) to encrypt data, including DSE Search index files and the DSE Search commit log.
Cached data is not encrypted.
DSE Search index encryption shares the setup with SSTable encryption, including secret key management and cipher creation.
DSE Search encryption is on when:
-
the backing database table is also encrypted. The backing
CQLtable for a search core contains the system key (secret key). This backingCQLtable must be encrypted to enable encryption of DSE Search indexes. Every new index file is created with the latest encryption setup of the backing database table. -
the Search index config class for directoryFactory is
solr.EncryptedFSDirectoryFactory.
Table encryption can be dynamically enabled, changed, and disabled without restarting a DataStax Enterprise node. The index encryption setup changes with the table.
All encrypted files have a header that contains the required information to reconstruct cipher transformation that is used for the file.
|
Encryption with DSE Search introduces a slight performance overhead. |
For related information about Storage-Attached Indexing (SAI), see About SAI encryption.
- Encrypting new Search indexes
-
Steps to encrypting new DSE Search index files.
- Encrypting existing Search indexes
-
Steps to encrypt existing DSE Search index files.
- Tuning encrypted Search indexes
-
Steps to tune DSE Search index encryption.
