Skip to main content

Securing MarkLogic Server

Transitioning from an External KMS to PKCS #11 Secured Wallet

Warning

Moving from an external KMS to the internal KMS will downgrade your overall security, as the external KMS is more secure than the internal PKCS #11 secured wallet.

If for some reason you want to stop using your external KMS and revert to using the internal PKCS #11 secured wallet, use the steps in this section to transition to the internal PKCS #11 wallet.

To migrate encryption to internal the PKCS #11 wallet, do the following:

  1. Important: Before you start the transition to an external KMS, back up the wallet that contains all of the internal keys.

  2. Turn off encryption on all categories and force decryption of all encrypted forests by issuing a merge command.

  3. Ensure that all data is un-encrypted, forest status reports encryption size.

  4. Set the configuration back to the internal PKCS #11 KMS and rotate the key encryption keys. See Key Rotation for more information.

  5. Re-index or force a merge of the database to re-encrypt your data.

    Note

    Encrypted read-only forests will need to be set to updates-allow all and merge or they will be inaccessible.