Skip to main content

Securing MarkLogic Server

Understanding Encryption at Rest

Encryption at rest enables you to transparently and selectively encrypt your data residing on disk (locally or in the cloud) in MarkLogic Server clusters. You can set your options at the cluster level to encrypt data on all the hosts in that cluster.

Three types of data can be encrypted:

  • User data - data ingested into MarkLogic Server databases, along with derived data such as indexes, user dictionaries, journals, backups, and so on

  • Configuration files - all configuration files generated by MarkLogic Server (for example, whenever a change is made to the configuration file)

  • Log files - all log files generated by MarkLogic Server, such as error logs, access logs, service dumps, server error logs, logs for each application server, and the task server logs

There are both MarkLogic Application Server logs and MarkLogic Server logs; both types of logs will be encrypted as part of log encryption.

Note

If you are using the Default Conversion Option described in The Default Conversion Option in the Content Processing Framework Guide. Note that the MarkLogic Converters package may generate temporary files, which are not supported by encryption at rest.

These types of data can each be encrypted separately. You can configure encryption for databases individually, or at the cluster level. Encryption at rest is “off” by default. To use encryption at rest, you need to configure and enable encryption for your database(s), configuration files, and/or log files.

Note

To access unencrypted forest data, MarkLogic Server normally uses memory-mapped files. When files are encrypted, MarkLogic Server instead decrypts them to anonymous memory. As a result, encrypted MarkLogic Server forests use more anonymous memory and less file-mapped memory than unencrypted forests.

Encryption at rest provides data confidentiality, but not authentication of identity or access control (permissions). See Authenticating Users and Protecting Documents for information about authentication and other forms of security in MarkLogic Server.

Warning

If you cannot access your PKCS #11 secured wallet (or external KMS if you are using one), or lose your encryption keys, you will not be able to decrypt any of your encrypted data. There is no “mechanism” to recover the encrypted data. We recommend that you backup your encryption keys in a secure location. See Backup and Restore for more details.

In this section: