Details
-
Epic
-
Resolution: Unresolved
-
Major - P3
-
None
-
None
Description
Summary
Previous versions of the KMIP spec did not support encrypt and decrypt functionality. It was added in 1.2 but even those using 1.2 didn't necessarily support the encrypt/decrypt calls. For CSFLE and Queryable Encryption, that means that the CMK is what needs to be transported back and forth from the key provider to the driver, which is less than ideal from a security standpoint because you are exposing a wrapping key. If that wrapping key is exposed all dek encrypted with it can be decrypted. HashiCorp Vault Enterprise added support for encrypt/decrypt in their 1.13 version, at our request, so that we can use KMIP like we do for the other key providers, which is sending the cleartext DEK to the key provider for encryption and sending encrypted DEK for decryption.
Cast of Characters
Engineering Lead:
Document Author:
POCers:
Product Owner:
Program Manager:
Stakeholders:
Channels & Docs
Slack Channel
[Scope Document|some.url]
[Technical Design Document|some.url]
Attachments
Issue Links
- split to
-
CDRIVER-4817 CSFLE/QE KMIP support for encrypt/decrypt
-
- Blocked
-
-
CSHARP-4941 CSFLE/QE KMIP support for encrypt/decrypt
-
- Blocked
-
-
CXX-2813 CSFLE/QE KMIP support for encrypt/decrypt
-
- Blocked
-
-
GODRIVER-3103 CSFLE/QE KMIP support for encrypt/decrypt
-
- Blocked
-
-
JAVA-5300 CSFLE/QE KMIP support for encrypt/decrypt
-
- Blocked
-
-
MOTOR-1236 CSFLE/QE KMIP support for encrypt/decrypt
-
- Blocked
-
-
NODE-5853 CSFLE/QE KMIP support for encrypt/decrypt
-
- Blocked
-
-
PHPLIB-1375 CSFLE/QE KMIP support for encrypt/decrypt
-
- Blocked
-
-
PYTHON-4164 CSFLE/QE KMIP support for encrypt/decrypt
-
- Blocked
-
-
RUBY-3383 CSFLE/QE KMIP support for encrypt/decrypt
-
- Blocked
-
-
RUST-1830 CSFLE/QE KMIP support for encrypt/decrypt
-
- Blocked
-