Encrypt new search indexes

You can enable encryption for new search cores when you create them.

Using SolrJ Auth to implement encryption

To use the SolrJ-Auth libraries to implement encryption, follow instructions in the solrj-auth-README.md file. The default location of the solrj-auth-README.md file depends on the type of installation:

  • Package installations: /usr/share/dse/solr

  • Tarball installations: <installation_location>/resources/solr

These SolrJ-Auth libraries are included in the clients directory in DataStax Enterprise (DSE) distribution. The default location of the clients directory depends on the type of installation:

  • Package installations: /usr/share/dse/clients

  • Tarball installations: <installation_location>/clients

The SolrJ-Auth code is public.

Enable encryption for new search cores

Encryption is enabled per core.

To enable encryption for a new core, edit the search index config file to change the class for directoryFactory to solr.EncryptedFSDirectoryFactory.

When using a TDE-secured local file system, encryption keys are stored remotely with KMIP encryption or locally with on-server encryption.

With automatic resource generation (recommended)

Use the dsetool create_core command with automatic resource generation. When generateResources=true, the command generates resources only if resources don’t exist in the solr_resources table.

Specify the class for directoryFactory to solr.EncryptedFSDirectoryFactory with the coreOptionsInline argument:

dsetool create_core <keyspace_name>.<table_name> generateResources=true coreOptionsInline="directory_factory_class:solr.EncryptedFSDirectoryFactory"
Without automatic resource generation

Use the dsetool create_core command without automatic resource generation:

dsetool create_core <keyspace_name>.<table_name> schema=schema.xml solrconfig=solrconfig.xml

The solrconfig.xml file must specify the required directoryFactory. For example:

<directoryFactory name="DirectoryFactory" class="solr.EncryptedFSDirectoryFactory"/>

When you create an encrypted search core, a node restart isn’t required.

To disable encryption, disable encryption for the backing CQL table. No node restart is required.

Was this helpful?

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2026 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM