Admin APIs for Encryption at Rest
These functions are used to set the mode and descriptions for the host, set the keystore host name and the keystore host port. You can also set the keystore data key ID, config key ID, or logs key ID, along with setting the keystore serve certificate and enabling encryption.
These server-side XQuery functions work with either the PKCS #11 secured wallet or a third-party KMIP-compliant keystore:
The admin:cluster-rotate-xxxx-encryption-key-id APIs are only for use with the embedded KMS provided by MarkLogic Server (the PKCS #11 secured wallet). Using these functions with an external KMS will cause an error.
These next two APIs are used in transitioning from an internal keystore (the PKCS #11 secured wallet) to an external KMIP-compliant keystore. If these functions are set to external, MarkLogic Server will first look for the external keystore to verify the keys.
These functions are designed to work with an external KMIP-compliant keystore:
Note
The functions designed to work with an external KMS will return an error if you try to use them with the PKCS #11 secured wallet (the default built-in KMS).