Terms and Definitions
The following terms and definitions are associated with encryption at rest.
Term |
Definition |
|---|---|
Encryption at rest |
Encryption of data that is stored on digital media. |
KMS |
Key Management System. |
wallet |
The PKCS #11 secured wallet provided and managed by MarkLogic Server that functions as the default standalone KMS. |
KEK |
A Key Encryption Key used to encrypt or ‘wrap’ another encryption key. |
keystore |
Repository for crytographic keys in the PKCS #11 secured wallet or any external KMS that is KMIP-server conformant. |
KMIP |
Key Management Interoperability Protocol (KMIP specification) - governed by OASIS standards body. There are multiple versions of KMIP currently available. MarkLogic Server Encryption supports 1.2. |
PKCS #11 |
One of the Public-Key Cryptography Standards, and also the programming interface to create and manipulate cryptographic tokens. See the OASIS PKCS TC for details. |
MKEK |
Master Key Encryption Key, resides in the keystore, and is used to generate the CKEK, which is enveloped (encrypted) with the MKEK. |
CKEK |
Cluster Key Encryption Key, resides in the keystore and is used to encrypt the data (CDKEK), configuration(CCKEK), and log (CLKEK) encryption keys. |
CDKEK |
Cluster Data Key Encryption Key, used to directly encrypt (wrap) the object key encryption keys (OKEY) for stands, forest journals, and large files. |
CCKEK |
Cluster Configuration Key Encryption Key, used to encrypt (wrap) the object key encryption keys (OKEY) for configuration files. |
CLKEK |
Cluster Log Key Encryption Key, used to encrypt (wrap) the object key encryption keys (OKEY) for log files. |
OKEY |
Object Encryption Key, otherwise known as the data object encryption key, a symmetric key used to directly encrypt objects like stands, forest journals, large files, configuration files, or log files. |
BKEK |
Backup Key Encryption Key, used to encrypt backups, both full and incremental. The BKEK is a locally generated backup KEK, that is used to encrypt all files in the backup. The BKEK is encrypted with the CDKEY and the BDKEY. |
BDKEK |
Backup Database Key, (alternative) only applicable to external KMS configurations. It is used to encrypt a backup in addition to the CDKEK. |
HSM |
Hardware Security Module or other hardware device is a physical computing device that safeguards and manages digital key materials. |
Key strength |
The size of key in bits. Usually, the more bits, the stronger the key and more difficult to break; for example, 128-bits, 256 bits, or 512-bits, and so on. |
Key rotation |
The process of aging out and replacing encryption keys over time. |