Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-2731

CSFLE/QE Support for more than 1 KMS provider per type

    • Type: Icon: Epic Epic
    • Resolution: Unresolved
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Component/s: Client Side Encryption
    • None
    • Hide

      Summary

      Driver Changes

      Some drivers may need API changes to accept an arbitrary string where a KMS provider is accepted: kmsProviders, KMSProvidersTLSOptions, ClientEncryption.createDataKey(), and RewrapManyDataKeyOpts.provider

      Can current drivers accept arbitrary strings for KMS identifier? suggests Node and Rust will need API changes.

      Drivers may need changes to support named KMS providers in the KMSProvidersTLSOptions map.

      Test Changes

      Specification tests are added. This introduces use of the encrypt and decrypt operations in the unified test format.

      The Unified Test Format schema 1.18 is added to allow patternProperties in kmsProviders.

      Tests refer to additional KMS providers: local:name1, aws:name1, gcp:name1, azure:name1, and kmip:name1.

      The name1 KMS providers may be configured exactly as the unnamed KMS providers. I.e. aws:name1 is configured the same as aws.

      To test configuring two KMS providers of the same type referring to distinct credentials, two more test KMS providers are defined: local:name2 and aws:name2.

      Test credentials for aws:name2 are available in AWS Secrets Manager under drivers/csfle. The aws:name2 account credentials are in FLE_AWS_SECRET2 and FLE_AWS_KEY2. See https://wiki.corp.mongodb.com/display/DRIVERS/Using+AWS+Secrets+Manager+to+Store+Testing+Secrets for more background on how the secrets are managed.

      Prose Test 11 (KMS TLS Options Tests) is extended to test named KMS providers.

      References

      https://github.com/mongodb/specifications/pull/1492 includes the specification change and tests.

      https://github.com/mongodb/mongo-c-driver/pull/1509 is a reference implementation in the C driver.

      Show
      Summary Driver Changes Some drivers may need API changes to accept an arbitrary string where a KMS provider is accepted: kmsProviders , KMSProvidersTLSOptions , ClientEncryption.createDataKey() , and RewrapManyDataKeyOpts.provider Can current drivers accept arbitrary strings for KMS identifier? suggests Node and Rust will need API changes. Drivers may need changes to support named KMS providers in the KMSProvidersTLSOptions map. Test Changes Specification tests are added. This introduces use of the encrypt and decrypt  operations in the unified test format. The Unified Test Format schema 1.18 is added to allow patternProperties in kmsProviders. Tests refer to additional KMS providers: local:name1 , aws:name1 , gcp:name1 , azure:name1 , and kmip:name1 . The name1 KMS providers may be configured exactly as the unnamed KMS providers. I.e. aws:name1 is configured the same as aws . To test configuring two KMS providers of the same type referring to distinct credentials, two more test KMS providers are defined: local:name2 and aws:name2 . Test credentials for aws:name2 are available in AWS Secrets Manager under drivers/csfle . The aws:name2 account credentials are in FLE_AWS_SECRET2 and FLE_AWS_KEY2 . See https://wiki.corp.mongodb.com/display/DRIVERS/Using+AWS+Secrets+Manager+to+Store+Testing+Secrets for more background on how the secrets are managed. Prose Test 11 ( KMS TLS Options Tests ) is extended to test named KMS providers. References https://github.com/mongodb/specifications/pull/1492 includes the specification change and tests. https://github.com/mongodb/mongo-c-driver/pull/1509 is a reference implementation in the C driver.
    • To Do
    • CSFLE/QE Support for more than 1 KMS provider
    • 0
    • 0
    • 0
    • 100
    • Hide

      2024-01-19:

      Status update:

      • libmongocrypt implementation merged
      • Specification changes in review.
      • C driver implementation in review.

      2024-01-08:

      Status update:

      • libmongocrypt implementation in review.
      • Specification updates in progress.

      Show
      2024-01-19: Status update: libmongocrypt implementation merged Specification changes in review. C driver implementation in review. 2024-01-08: Status update: libmongocrypt implementation in review. Specification updates in progress.
    • Needed
    • $i18n.getText("admin.common.words.hide")
      Key Status/Resolution FixVersion
      CDRIVER-4801 Fixed 1.26.0
      CXX-2800 Backlog
      CSHARP-4892 Done 3.0.0
      GODRIVER-3076 Ready for Work 2.1.0
      JAVA-5275 Fixed 5.2.0
      NODE-5801 Fixed 6.8.0
      MOTOR-1228 Duplicate
      PYTHON-4112 Fixed 4.7
      PHPLIB-1328 Backlog
      RUBY-3363 Backlog
      RUST-1813 Fixed 3.1.0
      $i18n.getText("admin.common.words.show")
      #scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion CDRIVER-4801 Fixed 1.26.0 CXX-2800 Backlog CSHARP-4892 Done 3.0.0 GODRIVER-3076 Ready for Work 2.1.0 JAVA-5275 Fixed 5.2.0 NODE-5801 Fixed 6.8.0 MOTOR-1228 Duplicate PYTHON-4112 Fixed 4.7 PHPLIB-1328 Backlog RUBY-3363 Backlog RUST-1813 Fixed 3.1.0

      Summary

       
      Currently the KMS provider allows for only one "provider" per type - so 1 AWS KMS account, 1 GCP Cloud KMS Account, 1 Azure Key Vault account, 1 KMIP account and 1 local key.
       
      That worked well until we added in key rotation/key migration, where there could be the need to rotate/migrate from 1 account to another within the same provider type. Common use cases: # App is developed in dev environment and now the app is being pushed to Prod. Customer want to use migration to move from a dev AWS KMS account to a Prod AWS KMS Account.

      1. Customer uses the "local key" provider to specify an endpoint on their system that contains a key secured however they want. There is no way to rotate that key because a new key is considered a new key provider.
      2. Company A has been sold to Company B and needs to migrate from Company A's key provider to Company B's key provider and both key providers are of the same type.

       
      The question then becomes how many providers are supported per type.  In these use cases only 2 providers are needed so it should be a minimum of 2.  Depending on the complexity of adding more providers per type, it would be nice to add support for at least 3 and up to something like 10, to keep it from getting too unwieldy.
       

      Cast of Characters

      Engineering Lead:
      Document Author:
      POCers:
      Product Owner:
      Program Manager:
      Stakeholders:

      Channels & Docs

      Slack Channel

      [Scope Document|some.url]

      [Technical Design Document|some.url]

            Assignee:
            kevin.albertson@mongodb.com Kevin Albertson
            Reporter:
            cynthia.braund@mongodb.com Cynthia Braund (Inactive)
            Kevin Albertson Kevin Albertson
            Esha Bhargava Esha Bhargava
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated: