Configuring Encryption at Rest
Install MarkLogic Server version 9.0-x or later. The encryption at rest feature and the PKCS #11 secured wallet are installed by default. You can configure encryption at rest for databases (data encryption), log files (log encryption) and configuration files (config encryption). The encryption feature will need to be configured and enabled for your data to be encrypted.
When you start up MarkLogic Server for the first time after installation, the keystore.xml file will be loaded first. It contains the encryption key IDs. After loading the keystore.xml configuration, MarkLogic Server validates connectivity to the KMS (local or external) and the validity of the keys stored in keystore.xml. Once validated, encryption keys will be loaded and decrypted. Normal startup then continues. If configuration files are encrypted, the file layer will decrypt them as they are being loaded, making the encryption transparent to the cluster.
Note
If a node in your cluster is offline for any reason, wait until the host comes back online to make any changes to your encryption at rest settings. Do not change your encryption settings while a host is offline.