Encrypting new Search indexes

Steps to encrypting new DSE Search index files.

You can enable encryption for new search cores when you create them.

solrj-auth-README.md

The default location of the solrj-auth-README.md file depends on the type of installation:
Package installations /usr/share/dse/solr
Tarball installations installation_location/resources/solr

clients directory

The default location of the clients directory depends on the type of installation:
Package installations /usr/share/dse/clients
Tarball installations installation_location/clients

Using SolrJ Auth to implement encryption

To use the SolrJ-Auth libraries to implement encryption, follow instructions in the solrj-auth-README.md file.

These SolrJ-Auth libraries are included in the clients directory in DataStax Enterprise distribution. The SolrJ-Auth code is public.

Prerequisites

When using TDE secure local file system. Encryption keys are stored remotely with KMIP encryption or locally with on-server encryption.

Procedure

Encryption is enabled per core.

To enable encryption for a new core, edit the search index config file to change the class for directoryFactory to solr.EncryptedFSDirectoryFactory.
  • Recommended: Use the dsetool dsetool create_core command with automatic resource generation. Specify the class for directoryFactory to solr.EncryptedFSDirectoryFactory with the handy coreOptionsInline argument:
    dsetool create_core keyspace_name.table_name generateResources=true coreOptionsInline="directory_factory_class:solr.EncryptedFSDirectoryFactory"
  • You can also use the dsetool dsetool create_core command this way:
    dsetool create_core keyspace_name.table_name schema=schema.xml solrconfig=solrconfig.xml
    where the solrconfig.xml file specifies the required directoryFactory:
    <directoryFactory name="DirectoryFactory" class="solr.EncryptedFSDirectoryFactory"/>
    The generateResources=true option generates resources only if resources do not exist in the solr_resources table.
After you create an encrypted search core, a node restart is not required.

What's next

To disable encryption, disable encryption for the backing CQL table. No node restart is required.