Loading...

XML

Word

Printable

JSON

Type: Task
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 8.3.0-rc0
Affects Version/s: None
Component/s: None
Labels:
None

Assigned Teams:

Server Security
Backwards Compatibility:
Fully Compatible
Sprint:
Server Security 2026-01-16, Server Security 2026-01-30, Server Security 2026-02-13
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

When rotating to a new KEK, we need to dump the encrypted KEK object out to the oplog specifically for PIT restore, since PIT restore starts at a checkpoint and then uses the oplog to jog the system to a specific point-in-time. The oplog therefore needs to have the encrypted KEK to decrypt future oplog messages encrypted with the new KEK.

causes

SERVER-119452 Ignore "km" oplog entries in change streams

Closed

is depended on by

TOOLS-4085 Investigate changes in SERVER-117223: Introduce a new SLS Oplog message for encrypted KEKs

Accepted

COMPASS-10352 Investigate changes in SERVER-117223: Introduce a new SLS Oplog message for encrypted KEKs

Closed

Assignee:: Shreyas Kalyan
Reporter:: Shreyas Kalyan
Participants:: Githook User, Shreyas Kalyan
Votes:: 0 Vote for this issue
Watchers:: 3 Start watching this issue

Created:: Jan 15 2026 03:51:46 PM UTC
Updated:: Feb 11 2026 05:46:58 PM UTC
Resolved:: Feb 11 2026 05:44:45 PM UTC

Details

Description

Attachments

Issue Links

Activity

People

Dates