Export and Import Encryption Keys
The ability to export and import key encryption keys (KEK) from the PKCS #11 secured wallet (the embedded KMS) is useful when you want to clone a cluster. Exporting a key encryption key (KEK) is restricted to cluster-level keys (CDKEK, CCKEK, CLKEK) and requires a passphrase and a filepath. The data will be exported (encrypted with the passphrase) into a file at the location specified by the filepath.
To export a keystore from the embedded KMS:
xquery version "1.0-ml";
import module namespace admin = "http://marklogic.com/xdmp/admin"
at "/MarkLogic/admin.xqy";
xdmp:keystore-export("Unique passphrase", "/backups/MarkLogic.wallet.bak")
=>
true
To import a keystore into the embedded KMS:
xquery version "1.0-ml";
import module namespace admin = "http://marklogic.com/xdmp/admin"
at "/MarkLogic/admin.xqy";
xdmp:keystore-import("Unique passphrase", "/backups/MarkLogic.wallet.bak")
=> true
Key encryption keys can only be imported from MarkLogic Server-exported files. Imported keys can only be used for decryption. The import requires the passphrase that was provided at the time of the export.
Warning
If a duplicate key is supplied during the import, the import will be rejected. Duplicate keys can be caused by importing the keystore twice.