Powered by Zoomin Software. For more details please contactZoomin

Secure MarkLogic Server

Table of Contents

Manual Key Rotation

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: May 20, 2026
  • 1 minute read
    • MarkLogic Server
    • Version 12.0
    • Documentation

The intermediate fast rotation keys enable immediate envelope key rotation with a minimum of I/O. File level keys can be rotated at any time by forcing a merge. Log rotation and configuration file updates use new keys. Old logs, backups, and configuration files are not re-encrypted.

The internal KMS (the PKCS #11 secured wallet) follows these steps for fast key rotation:

  1. User sends rotation key command to MarkLogic Server (for example, admin:cluster-rotate-data-encryption-key-id()).

  2. MarkLogic Server requests a new data encryption key (CDKEK, CCKEK, CLKEK - the cluster-level encryption keys) from the internal KMS.

  3. Only the fast rotation keys are re-encrypted with the new data encryption keys (CDKEK, CCKEK, CLKEK).

An external KMS follows these steps for fast key rotation:

  1. The external KMS creates new KEK key (CDKEK, CCKEK, CLKEK - the cluster-level encryption keys).

  2. User updates the UUIDs in MarkLogic Server. See Set Up an External KMIP KMS with MarkLogic Server Encryption for UUID details.

  3. MarkLogic Server sends a Fast Rotation Key (FRKEK) to the KMS.

  4. The external KMS sends new enveloped key back to MarkLogic Server.

  5. The enveloped key is saved to disk, per file.

Note: Expired keys can be used for decryption but not encryption. Expired keys may be needed for decrypting backups.

TitleResults for “How to create a CRG?”Also Available inAlert