Powered by Zoomin Software. For more details please contactZoomin

Secure MarkLogic Server

Transitioning from an External KMS to PKCS #11 Secured Wallet

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
Table of Contents

Transitioning from an External KMS to PKCS #11 Secured Wallet

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: May 20, 2026
  • 1 minute read
    • MarkLogic Server
    • Version 12.0
    • Documentation

Warning:

Moving from an external KMS to the internal KMS will downgrade your overall security, as the external KMS is more secure than the internal PKCS #11 secured wallet.

If for some reason you want to stop using your external KMS and revert to using the internal PKCS #11 secured wallet, use the steps in this section to transition to the internal PKCS #11 wallet.

To migrate encryption to internal the PKCS #11 wallet, do the following:

  1. Important: Before you start the transition to an external KMS, back up the wallet that contains all of the internal keys.

  2. Turn off encryption on all categories and force decryption of all encrypted forests by issuing a merge command.

  3. Ensure that all data is un-encrypted, forest status reports encryption size.

  4. Set the configuration back to the internal PKCS #11 KMS and rotate the key encryption keys. See Key Rotation for more information.

  5. Re-index or force a merge of the database to re-encrypt your data.

    Note:

    Encrypted read-only forests will need to be set to updates-allow all and merge or they will be inaccessible.

TitleResults for “How to create a CRG?”Also Available inAlert