Encryption at Rest in Data Hub Service

Overview

Data Hub Service (DHS) data and configuration files are encrypted at rest. By default, encryption at rest is automatically enabled for Low Priority and Standard services.

Important: This feature is only available for services running DHS version 3.0 or later.

Note: Encryption at rest cannot be disabled.

Encryption Keys

MarkLogic uses AWS Key Management Service (KMS) to generate two different keys for encrypting data and configuration files. The keys are stored in the AWS KMS of the AWS account dedicated to creating and maintaing your services. Keys are symmetric customer master keys (CMKs) managed by MarkLogic and not accessible to customers. Automatic key rotation is enabled for both keys.

The key used to encrypt data files is also used to encrypt backups of data files. To learn more about backups, see Database Backup Policy.

Important: MarkLogic will retain and manage keys for the lifetime of your DHS account, even if a service is terminated.

To learn more about encryption, see Understanding Encryption at Rest.