Tuning Encrypted Search Indexes
The primary configuration settings for tuning search index encryption are in the dse.yaml configuration file.
Procedure
-
Locate the
dse.yamlconfiguration file. The location of this file depends on the type of installation:-
Package installations:
/etc/dse/dse.yaml -
Tarball installations:
<installation_location>/resources/dse/conf/dse.yaml
-
-
In the
dse.yamlfile on each node, adjust the index encryption options:# solr_encryption_options: # decryption_cache_offheap_allocation: true # decryption_cache_size_in_mb: 256-
decryption_cache_offheap_allocation- Specify whether to allocate search decryption cache off JVM heap. -
decryption_cache_size_in_mb- Sets the maximum size of shared search decryption cache, in megabytes (MB).
-
-
Additional properties in the Search index config are available to tune encryption, although DataStax recommends using the default settings:
<directoryFactory name="DirectoryFactory" class="solr.EncryptedFSDirectoryFactory"> <bool name="solr.crypto.cache.enabled">true</bool> <int name="solr.crypto.encryption.workers">2</int> <int name="solr.crypto.encryption.bufferpool.sizeinbytes">10240</int> </directoryFactory> -
To monitor the decryption cache, use Java Management Extensions (JMX) and the
Solr Admin UIto view the Apache Solr metrics that are provided forBlock Cache.For tuning purposes, review the
hitratiometric. Ifhitratiois below1.00, the cache is too small to fit the entire decrypted index into memory. -
To verify which files are encrypted, use this command to list all DSE Search index files for the specified search core on the local node:
dsetool list_index_files <keyspace_name>.<table_name> [--index <directory>]where
--index <directory>specifies the data directory that contains the search index files. When not specified, the default directory is inferred from the search core name.
