-
Type: Epic
-
Resolution: Unresolved
-
Priority: Major - P3
-
None
-
Component/s: Client Side Encryption
-
None
Summary
Currently the KMS provider allows for only one "provider" per type - so 1 AWS KMS account, 1 GCP Cloud KMS Account, 1 Azure Key Vault account, 1 KMIP account and 1 local key.
That worked well until we added in key rotation/key migration, where there could be the need to rotate/migrate from 1 account to another within the same provider type. Common use cases: # App is developed in dev environment and now the app is being pushed to Prod. Customer want to use migration to move from a dev AWS KMS account to a Prod AWS KMS Account.
- Customer uses the "local key" provider to specify an endpoint on their system that contains a key secured however they want. There is no way to rotate that key because a new key is considered a new key provider.
- Company A has been sold to Company B and needs to migrate from Company A's key provider to Company B's key provider and both key providers are of the same type.
The question then becomes how many providers are supported per type. In these use cases only 2 providers are needed so it should be a minimum of 2. Depending on the complexity of adding more providers per type, it would be nice to add support for at least 3 and up to something like 10, to keep it from getting too unwieldy.
Cast of Characters
Engineering Lead:
Document Author:
POCers:
Product Owner:
Program Manager:
Stakeholders:
Channels & Docs
Slack Channel
[Scope Document|some.url]
[Technical Design Document|some.url]
- depends on
-
MONGOCRYPT-605 Support for more than 1 KMS provider per type
- Closed
- is related to
-
COMPASS-8082 Add support for more than 1 KMS provider per type
- Closed
-
MONGOSH-1786 Add support for more than 1 KMS provider per type
- Closed
- split to
-
CXX-2800 CSFLE/QE Support for more than 1 KMS provider per type
- Backlog
-
PHPLIB-1328 CSFLE/QE Support for more than 1 KMS provider per type
- Backlog
-
RUBY-3363 CSFLE/QE Support for more than 1 KMS provider per type
- Backlog
-
GODRIVER-3076 CSFLE/QE Support for more than 1 KMS provider per type
- Ready for Work
-
CDRIVER-4801 CSFLE/QE Support for more than 1 KMS provider per type
- Closed
-
CSHARP-4892 CSFLE/QE Support for more than 1 KMS provider per type
- Closed
-
JAVA-5275 CSFLE/QE Support for more than 1 KMS provider per type
- Closed
-
MOTOR-1228 CSFLE/QE Support for more than 1 KMS provider per type
- Closed
-
NODE-5801 CSFLE/QE Support for more than 1 KMS provider per type
- Closed
-
PYTHON-4112 CSFLE/QE Support for more than 1 KMS provider per type
- Closed
-
RUST-1813 CSFLE/QE Support for more than 1 KMS provider per type
- Closed