Skip to main content

Securing MarkLogic Server

Key Management

Encryption key management for the embedded KMS (the PKCS #11 secured wallet) is handled automatically by MarkLogic Server. Keys are never purged from the wallet, which is encrypted by a MarkLogic Server-generated key activated by a passphrase. The administrator’s password is used as the initial passphrase.

Note

By default, the keystore passphrase is set to the admin password. We strongly recommend that you set a new, different passphrase before turning on encryption. Using a separate passphrase for admin and the keystore helps support the strong security principle called “Separation of Duties”.

This passphrase can be changed using either the XQuery (xdmp:keystore-set-kms-passphrase) or JavaScript (xdmp.keystoreSetKmsPassphrase) built-ins. As part of key management, you may want to export, import, or rotate encryption keys. MarkLogic Server provides built-in functions for exporting and importing encryption keys, and manually rotating encryption keys. If you require additional key management functionality, you may want to consider an external key management system. See Configuring an External Keystore for more information.

If you believe that an encryption key has been compromised, you should force a merge or start a re-index of your data to change/update the encryption keys. See Key Rotation for more about updating encryption keys.