Configure Encryption Using REST
You can use REST Management APIs to work with encryption at rest.
GET:/manage/v2/databases/{id|name}/properties
This command gets the current properties of the Documents database, including the encryption status and encryption key ID in JSON format:
$ curl -GET --anyauth -u admin:admin \ -H "Accept:application/json,Content-Type:application/json" \ http://localhost:8002/manage/v2/databases/Documents/properties
Returns
{"database-name":"Documents", "forest":["Documents"],
"security-database":"Security", "schema-database":"Schemas",
"triggers-database":"Triggers", "enabled":true,
"data-encryption":"off", "encryption-key-id":"",
The same command in XML format:
$ curl -GET --anyauth -u admin:admin \ -H "Accept:application/xml,Content-Type:application/xml" \ http://localhost:8002/manage/v2/databases/Documents/properties
Returns
<database-properties xmlns="http://marklogic.com/manage">
<database-name>Documents</database-name>
<forests>
<forest>Documents</forest>
</forests>
<security-database>Security</security-database>
<schema-database>Schemas</schema-database>
<triggers-database>Triggers</triggers-database>
<enabled>true</enabled>
<data-encryption>on</data-encryption>
<encryption-key-id/>
...
</database-properties>
GET:/manage/v2/security/properties
This command returns the current encryption status, along with other properties including encryption key ID, for localhost in JSON format:
$ curl -GET --anyauth -u admin:admin \ -H "Accept:application/json,Content-Type:application/json" \ http://localhost:8002/manage/v2/security/properties
Returns:
{"keystore":{"data-encryption":"default-off",
"data-encryption-key-id":"091fd9a0-f090-4c7e-91ca-fedfe21dbfef",
"config-encryption":"off", "config-encryption-key-id":"",
"logs-encryption":"off", "logs-encryption-key-id":"",
"host-name":"LOCALHOST", "port":9056}}
Here is the same version of the command, this time returning XML:
$ curl -GET --anyauth -u admin:admin \ -H "Accept:application/xml,Content-Type:application/xml" \ http://localhost:8002/manage/v2/security/properties
Returns:
<security-properties xsi:schemaLocation="http://marklogic.com/manage/security/properties manage-security-properties.xsd" xmlns="http://marklogic.com/manage/security/properties" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <keystore> <data-encryption>default-off</data-encryption> <data-encryption-key-id>8d0b07d8-b655-4408-affd-e49a2ece0af3 </data-encryption-key-id> <config-encryption>off</config-encryption> <config-encryption-key-id/> <logs-encryption>off</logs-encryption> <logs-encryption-key-id/> <host-name>LOCALHOST</host-name> <port>9056</port> </keystore> </security-properties>
POST:/manage/v2/protected-paths
This command sets the protected path for //d with read permissions for manage-user:
$ curl -POST --anyauth -u admin:admin \ -d @file.xml -H "Content-Type:application/xml" \ http://localhost:8002/manage/v2/protected-paths
Here is the payload (file.xml):
<protected-path-properties xmlns="http://marklogic.com/manage/protected-path/properties">
<path-expression>//d</path-expression>
<path-namspaces/>
<permissions>
<permission>
<role-name>manage-user</role-name>
<capability>read</capability>
</permission>
</permissions>
</protected-path-properties>
Here is the same operation in JSON:
curl -X POST --anyauth -u admin:admin \ -d @file.json -H "Content-Type:application/json" \ http://localhost:8002/manage/v2/protected-paths
Here is the payload (file.json):
{
"path-expression": "//e",
"path-namespace": [],
"permission": [{
"role-name": ["manage-user"],
"capability": "read"
}]
}
PUT:/manage/v2/databases/{id|name}/properties
This command will turn on encryption for the Documents database:
$ curl -X PUT --anyauth -u admin:admin -d '{"data-encryption":"on"}' \
-H "Content-Type:application/json" \
http://localhost:8002/manage/v2/databases/Documents/properties