Powered by Zoomin Software. For more details please contactZoomin

Secure MarkLogic Server

Keystores - PKCS #11 Secured Wallet or External KMS

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
Table of Contents

Keystores - PKCS #11 Secured Wallet or External KMS

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: May 20, 2026
  • 1 minute read
    • MarkLogic Server
    • Version 12.0
    • Documentation

A keystore is a secure location where the actual encryption keys used to encrypt data are stored. The keystore for encryption at rest is a key management system (KMS). This keystore can be either the MarkLogic Server embedded PKCS #11 secured wallet, an external KMS that conforms to the KMIP-standard interface, or the native AWS KMS (Amazon Web Services Key Management System). The embedded keystore is installed by default when you install MarkLogic Server 9.0-x or later.

The MarkLogic Server embedded wallet uses a standard PKCS #11 protocol, using the PKCS #11 APIs. The wallet or another KMS, must be available during the MarkLogic Server startup process (or be bootstrapped from MarkLogic Server during start-up). You can also use any KMIP-compliant external keystore with MarkLogic Server or the native AWS KMS.

To configure an external KMS you will need the following information for your cluster:

  • Host name

  • Port number

  • Client certificate

  • Server certificate

If you are using the native AWS KMS, you will not need the Client certificate or the Server certificate. You will need the other information.

Note: If you plan to use an external key management system, configure the external KMS first, then turn on encryption in MarkLogic Server.

For details, see Configuring an External Keystore.

TitleResults for “How to create a CRG?”Also Available inAlert