Transparent Encryption Recommendations for Search
Make /solr an encryption zone. When you create the encryption zone,
name the key solr-key to take advantage of auto-generated KMS ACLs.
Steps
On a cluster without Solr currently installed, create the
/solr directory and make that an encryption
zone.
On a cluster with Solr already installed:
- Create an empty
/solr-tmpdirectory. - Make
/solr-tmpan encryption zone. - DistCp all data from
/solrinto/solr-tmp. - Remove
/solr, and rename/solr-tmpto/solr.
KMS ACL Configuration for Search
In the KMS ACL, grant the solr user and group DECRYPT_EEK
permission for the Solr key:
<property>
<name>key.acl.solr-key.DECRYPT_EEK</name>
<value>solr solr</value>
</description>
</property>