Encrypting new Search indexes
Steps to encrypting new DSE Search index files.
clients directory
The default location of the clients directory depends on the type of installation:Package installations | /usr/share/dse/clients |
Tarball installations | installation_location/clients |
solrj-auth-README.md
The default location of the solrj-auth-README.md file depends on the type of installation:Package installations | /usr/share/dse/solr |
Tarball installations | installation_location/resources/solr |
Using SolrJ Auth to implement encryption
To use the SolrJ-Auth libraries to implement encryption, follow instructions in the solrj-auth-README.md file.
These SolrJ-Auth libraries are included in the clients directory in DataStax Enterprise distribution. The SolrJ-Auth code is public.
Prerequisites
When using TDE secure local file system. Encryption keys are stored remotely with KMIP encryption or locally with on-server encryption.
Procedure
Encryption is enabled per core.
To enable encryption for a new core, edit the search index config file to
change the class for directoryFactory to
solr.EncryptedFSDirectoryFactory
.
- Recommended: Use the dsetool command
with automatic resource generation. Specify the class for directoryFactory
to
solr.EncryptedFSDirectoryFactory
with the handycoreOptionsInline
argument:dsetool create_core keyspace_name.table_name generateResources=true coreOptionsInline="directory_factory_class:solr.EncryptedFSDirectoryFactory"
- You can also use the dsetool command
this way:
dsetool create_core keyspace_name.table_name schema=schema.xml solrconfig=solrconfig.xml
where the solrconfig.xml file specifies the required directoryFactory:
The generateResources=true option generates resources only if resources do not exist in the solr_resources table.<directoryFactory name="DirectoryFactory" class="solr.EncryptedFSDirectoryFactory"/>
After you create an encrypted search core, a node restart is not
required.
What's next
To disable encryption, disable encryption for the backing CQL table. No node restart is required.