Backups Using a Secondary Key
MarkLogic Server encryption at rest includes the ability to use a secondary backup key encryption key (BDKEK) for encrypting backups when encryption is configured with an external KMS. Using this BDKEK you can restore your backup to a new system, one that might not have access to the CDKEK and/or CCKEK.
For example, with this XQuery statement you can back up your Documents database using the BDKEK:
xdmp:database-backup(xdmp:database-forests(xdmp:database("Documents")),"/backups/Data", fn:true(),
"/backups/JournalArchiving", 15,"bf44aab-3f7a-41d2-a6a5-fc41a0e5e0cf")
Or you could use server-side JavaScript:
xdmp.databaseBackup(xdmp.databaseForests(xdmp.database("Documents")), "/backups/Data", fn:true(),
"/backups/JournalArchiving", 15,"bf44aab-3f7a-41d2-a6a5-fc41a0e5e0cf");
In these examples “bf44aab-3f7a-41d2-a6a5-fc41a0e5e0cf” is the secondary backup key (BDKEK).
The built-ins xdmp:database-backup and xdmp:database-incremental-backup have an optional argument to take advantage of the BDKEK from the external KMS. The REST API can also take advantage of a secondary backup key as part of the backup operations.