Encrypting new Search indexes

Steps to encrypting new DSE Search index files.

You can enable encryption for new search cores when you create them.

solrj-auth-README.md

The default location of the solrj-auth-README.md file depends on the type of installation:

Package installations Installer-Services installations	/usr/share/dse/solr
Tarball installations Installer-No Services installations	`installation_location`/resources/solr

clients

The default location of the clients directory depends on the type of installation:

Package installations Installer-Services installations	/usr/share/dse/clients
Tarball installations Installer-No Services installations	`installation_location`/clients

Using SolrJ Auth to implement encryption

To use the SolrJ-Auth libraries to implement encryption, follow instructions in the solrj-auth-README.md file.

These SolrJ-Auth libraries are included in the clients directory in DataStax Enterprise distribution. The SolrJ-Auth code is public.

Prerequisites

When using TDE on a secure local file system, encryption keys are stored remotely with KMIP encryption or locally with on-server encryption.

Procedure

Encryption is enabled per core.

To enable encryption for a new core, edit the search index config to change the class for directoryFactory to solr.EncryptedFSDirectoryFactory.

For example, you can use the dsetool create_core command with automatic resource generation. Specify the class for directoryFactory to solr.EncryptedFSDirectoryFactory with the handy coreOptionsInline argument:

dsetool create_core keyspace_name.table_name generateResources=true coreOptionsInline="directory_factory_class:solr.EncryptedFSDirectoryFactory"

After you create an encrypted search core, a node restart is not required.

What's next

To disable encryption, disable encryption for the backing CQL table. No node restart is required.