Configuring an External Keystore
An external key management system (KMS) or keystore offers additional security for your encryption keys, along with key management capabilities like automatic key rotation, key revocation, and key deletion. If you want the ability to perform these tasks, you will need an external KMS. MarkLogic Server Encryption at Rest supports KMIP 1.2 compliant KMS servers and Amazon’s KMS.
Note
The use of an external Key Management System (KMS) or keystore with encryption at rest, requires an Advanced Security License, in addition to the regular MarkLogic Server license.
When using an external KMS, usually there is a security administrator role separate from the MarkLogic Server administrator. The security administrator would be the role setting up and configuring the external keystore. The MarkLogic Server administrator can also perform this task, but for greater security it is recommended that the separate security administrator configure the KMS.
Note
Having a separate security administrator follows an important security principle called “Separation of Duties” and is recommended by security experts.
This section covers setting up MarkLogic Server encryption for use with an external key management system from the MarkLogic Server Admin Interface on the MarkLogic Server host. You don’t need to have MarkLogic Server encryption turned on for your cluster while you are setting up and configuring the external key management system.
Note
If you plan to use an external key management system, we recommend that you configure the external keystore first, and then turn on encryption in the MarkLogic Server.
The installation process for the external keystore will vary depending on the type of external KMIP-compliant KMS you plan to use. A security administrator must configure the external keystore using the administration set up tools that come with the external KMS. This section provides a high-level overview of the process from the MarkLogic Server point of view.