Configuration File and Log File Encryption Options
Encryption at rest for configuration files and/or log files is done on the Cluster Configuration page in the Admin Interface. Navigate to this page by choosing Clusters from the left tree menu, clicking the cluster name, and then clicking the Configure tab.
The encryption options are shown in this table:
File Type |
Cluster Encryption Setting: Default On |
Cluster Encryption Setting: Default Off |
Cluster Encryption Setting: Force |
|---|---|---|---|
Configuration files |
encrypt |
do not encrypt |
encrypt |
Log files |
encrypt |
do not encrypt |
encrypt |
Note
The keystore.xml and hsm.cfg files are never be encrypted because they are configuration for the Keystore. The servers.xml file is not immediately encrypted until a server (apps server) is updated, a new server is created, or an existing server is deleted. This is because these actions trigger a restart of the MarkLogic Server.
Cluster configuration settings for encryption at rest interact with the encryption settings for databases. You can separately configure encryption for each database on the Database Configuration page in the Admin Interface or set database encryption to default to the cluster encryption settings.
Note
The database encryption configuration settings take precedence unless the cluster Force Encryption option is set. If Force Encryption is on, configuration files and log files will be encrypted. Please check all database encryption settings to ensure that they are set correctly.
The following table shows the interaction between the cluster configuration options and the database configuration options. There are three possible database encryption settings and three possible cluster encryption settings. The cell where the row and column intersect shows the outcome of that configuration combination.
Database Encryption Setting |
Cluster Encryption Setting: Force Encryption |
Cluster Encryption Setting: Default On |
Cluster Encryption Setting: Default Off |
|---|---|---|---|
Default to cluster |
encrypt |
encrypt |
do not encrypt |
On |
encrypt |
encrypt |
encrypt |
Off |
encrypt |
do not encrypt |
do not encrypt |
The Force Encryption option in the Cluster Encryption Settings will force encryption for all of the databases in the cluster. If the Cluster Encryption Setting is Force Encryption (or Default On), or the Database Encryption Setting is On, then the database will be encrypted.