Transparent Encryption Recommendations for Search
Make /solr
an encryption zone. When you create the encryption zone,
name the key solr-key
to take advantage of auto-generated KMS ACLs.
Steps
On a cluster without Solr currently installed, create the
/solr
directory and make that an encryption
zone.
On a cluster with Solr already installed:
- Create an empty
/solr-tmp
directory. - Make
/solr-tmp
an encryption zone. - DistCp all data from
/solr
into/solr-tmp
. - Remove
/solr
, and rename/solr-tmp
to/solr
.
KMS ACL Configuration for Search
In the KMS ACL, grant the solr
user and group DECRYPT_EEK
permission for the Solr key:
<property>
<name>key.acl.solr-key.DECRYPT_EEK</name>
<value>solr solr</value>
</description>
</property>