Transitioning from PKCS #11 Secured Wallet to an External KMS
Transitioning from the internal PKCS #11 secured wallet to an external KMS will re-encrypt of all configuration files and forest labels. Re-encryption will happen the next time a file is written to disk. If you want to force re-encryption of all data, start a re-index of the database.
Customer-provided cluster KEK IDs will be validated against the KMS for encryption/decryption. If any KEK ID validation fails or MarkLogic Server cannot connect to the KMS, there will be no changes to the configuration files.
Even after you have migrated to an external KMS, the PKCS #11 secured wallet will retain and manage any encryption keys that were generated before the migration to the external keystore.
To migrate from the PKCS #11 secured wallet to an external keystore (KMS) do the following:
Important: Before you start the transition to an external KMS, back up the wallet that contains all of the internal keys.
Confirm that the external KMS is running and available. See Set Up an External KMIP KMS with MarkLogic Server Encryption .
Enable the desired encryption options from the MarkLogic Server Admin Interface. MarkLogic Server encryption will now use the encryption keys supplied by the external KMS.