Tuning Encrypted Search Indexes

The primary configuration settings for tuning search index encryption are in the dse.yaml configuration file.

Procedure

Locate the dse.yaml configuration file. The location of this file depends on the type of installation:
- Package installations: /etc/dse/dse.yaml
- Tarball installations: <installation_location>/resources/dse/conf/dse.yaml
In the dse.yaml file on each node, adjust the index encryption options:
```
# solr_encryption_options:
#    decryption_cache_offheap_allocation: true
#    decryption_cache_size_in_mb: 256
```
1. decryption_cache_offheap_allocation - Specify whether to allocate search decryption cache off JVM heap.
2. decryption_cache_size_in_mb - Sets the maximum size of shared search decryption cache, in megabytes (MB).

Additional properties in the Search index config are available to tune encryption, although DataStax recommends using the default settings:

<directoryFactory name="DirectoryFactory" class="solr.EncryptedFSDirectoryFactory">
    <bool name="solr.crypto.cache.enabled">true</bool>
    <int name="solr.crypto.encryption.workers">2</int>
    <int name="solr.crypto.encryption.bufferpool.sizeinbytes">10240</int>
 </directoryFactory>

To monitor the decryption cache, use Java Management Extensions (JMX) and the Solr Admin UI to view the Apache Solr metrics that are provided for Block Cache.

For tuning purposes, review the hitratio metric. If hitratio is below 1.00, the cache is too small to fit the entire decrypted index into memory.
To verify which files are encrypted, use this command to list all DSE Search index files for the specified search core on the local node:
```
dsetool list_index_files <keyspace_name>.<table_name> [--index <directory>]
```
where --index <directory> specifies the data directory that contains the search index files. When not specified, the default directory is inferred from the search core name.