Skip to main content

Securing MarkLogic Server

Manual Key Rotation

The intermediate fast rotation keys enable immediate envelope key rotation with a minimum of I/O. File level keys can be rotated at any time by forcing a merge. Log rotation and configuration file updates use new keys. Old logs, backups, and configuration files are not re-encrypted.

The internal KMS (the PKCS #11 secured wallet) follows these steps for fast key rotation:

  1. User sends rotation key command to MarkLogic Server (for example, admin:cluster-rotate-data-encryption-key-id()).

  2. MarkLogic Server requests a new data encryption key (CDKEK, CCKEK, CLKEK - the cluster-level encryption keys) from the internal KMS.

  3. Only the fast rotation keys are re-encrypted with the new data encryption keys (CDKEK, CCKEK, CLKEK).

An external KMS follows these steps for fast key rotation:

  1. The external KMS creates new KEK key (CDKEK, CCKEK, CLKEK - the cluster-level encryption keys).

  2. User updates the UUIDs in MarkLogic Server. See Set Up an External KMIP KMS with MarkLogic Server Encryption for UUID details.

  3. MarkLogic Server sends a Fast Rotation Key (FRKEK) to the KMS.

  4. The external KMS sends new enveloped key back to MarkLogic Server.

  5. The enveloped key is saved to disk, per file.

Note

Expired keys can be used for decryption but not encryption. Expired keys may be needed for decrypting backups.