Encrypting new Search indexes

Steps to encrypting new DSE Search index files.

You can enable encryption for new search cores when you create them.

solrj-auth-README.md

The default location of the solrj-auth-README.md file depends on the type of installation:

Package installations
Installer-Services installations

/usr/share/dse/solr

Tarball installations
Installer-No Services installations

installation_location/resources/solr

clients

The default location of the clients directory depends on the type of installation:

Package installations
Installer-Services installations

/usr/share/dse/clients

Tarball installations
Installer-No Services installations

installation_location/clients

Using SolrJ Auth to implement encryption

To use the SolrJ-Auth libraries to implement encryption, follow instructions in the solrj-auth-README.md file.

These SolrJ-Auth libraries are included in the clients directory in DataStax Enterprise distribution. The SolrJ-Auth code is public.

Prerequisites

When using TDE on a secure local file system, encryption keys are stored remotely with KMIP encryption or locally with on-server encryption.

Procedure

Encryption is enabled per core.

To enable encryption for a new core, edit the search index config to change the class for directoryFactory to solr.EncryptedFSDirectoryFactory.
For example, you can use the dsetool create_core command with automatic resource generation. Specify the class for directoryFactory to solr.EncryptedFSDirectoryFactory with the handy coreOptionsInline argument:
dsetool create_core keyspace_name.table_name generateResources=true coreOptionsInline="directory_factory_class:solr.EncryptedFSDirectoryFactory"
After you create an encrypted search core, a node restart is not required.

What's next

To disable encryption, disable encryption for the backing CQL table. No node restart is required.