Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-2732

CSFLE/QE KMIP support for encrypt/decrypt

    XMLWordPrintableJSON

Details

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Major - P3 Major - P3
    • None
    • Client Side Encryption
    • None
    • Needed
    • 0
    • 0
    • 0
    • 100
    • Hide

      2024-02-05: 

      Status update: 

      • libmongocrypt and C driver implementation working.
      • Working on specification tests.

      Show
      2024-02-05:  Status update:  libmongocrypt and C driver implementation working. Working on specification tests.
    • $i18n.getText("admin.common.words.hide")
      Key Status/Resolution FixVersion
      CDRIVER-4817 Blocked
      CXX-2813 Blocked
      CSHARP-4941 Blocked
      GODRIVER-3103 Blocked
      JAVA-5300 Blocked
      NODE-5853 Blocked
      MOTOR-1236 Blocked
      PYTHON-4164 Blocked
      PHPLIB-1375 Blocked
      RUBY-3383 Blocked
      RUST-1830 Blocked
      $i18n.getText("admin.common.words.show")
      #scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion CDRIVER-4817 Blocked CXX-2813 Blocked CSHARP-4941 Blocked GODRIVER-3103 Blocked JAVA-5300 Blocked NODE-5853 Blocked MOTOR-1236 Blocked PYTHON-4164 Blocked PHPLIB-1375 Blocked RUBY-3383 Blocked RUST-1830 Blocked

    Description

      Summary

      Previous versions of the KMIP spec did not support encrypt and decrypt functionality.  It was added in 1.2 but even those using 1.2 didn't necessarily support the encrypt/decrypt calls.  For CSFLE and Queryable Encryption, that means that the CMK is what needs to be transported back and forth from the key provider to the driver, which is less than ideal from a security standpoint because you are exposing a wrapping key.  If that wrapping key is exposed all dek encrypted with it can be decrypted.  HashiCorp Vault Enterprise added support for encrypt/decrypt in their 1.13 version, at our request, so that we can use KMIP like we do for the other key providers, which is sending the cleartext DEK to the key provider for encryption and sending encrypted DEK for decryption.

      Cast of Characters

      Engineering Lead:
      Document Author:
      POCers:
      Product Owner:
      Program Manager:
      Stakeholders:

      Channels & Docs

      Slack Channel

      [Scope Document|some.url]

      [Technical Design Document|some.url]

      Attachments

        Activity

          People

            adrian.dole@mongodb.com Adrian Dole
            cynthia.braund@mongodb.com Cynthia Braund (Inactive)
            Kevin Albertson Kevin Albertson
            Esha Bhargava Esha Bhargava
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: