Summary
Previous versions of the KMIP spec did not support encrypt and decrypt functionality. It was added in 1.2 but even those using 1.2 didn't necessarily support the encrypt/decrypt calls. For CSFLE and Queryable Encryption, that means that the CMK is what needs to be transported back and forth from the key provider to the driver, which is less than ideal from a security standpoint because you are exposing a wrapping key. If that wrapping key is exposed all dek encrypted with it can be decrypted. HashiCorp Vault Enterprise added support for encrypt/decrypt in their 1.13 version, at our request, so that we can use KMIP like we do for the other key providers, which is sending the cleartext DEK to the key provider for encryption and sending encrypted DEK for decryption.
Cast of Characters
Engineering Lead:
Document Author:
POCers:
Product Owner:
Program Manager:
Stakeholders:
Channels & Docs
Slack Channel
[Scope Document|some.url]
[Technical Design Document|some.url]