[SERVER-53056] Call KMIP Deactivate when rotating encryption keys Created: 24/Nov/20 Updated: 06/Dec/22 |
|
| Status: | Backlog |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Sreekarthik Ramalingam | Assignee: | Backlog - Security Team |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
| Assigned Teams: |
Server Security
|
| Operating System: | ALL |
| Sprint: | Security 2021-11-15, Security 2021-11-29 |
| Participants: |
| Description |
|
When a Master key is rotated by the MongoDB Enterprise using the command
the KMIP Client in it does not deactivate the master key which it was using prior to the rotation and the old key is left as a stale entry in the server. Also, please confirm if it has to be removed ideally or whether its retained for any specific reason. Added content from only two KMIP operations listed below are performed by the KMIP Client in MongoDB Enterprise.
|
| Comments |
| Comment by Sara Williamson [ 04/Jan/21 ] |
|
Hi Sreekarthik, Thank you for filing this ticket. We will consider it alongside |
| Comment by Eric Sedor [ 30/Nov/20 ] |
|
Hi sreekarthik.ramalingam@appviewx.com, Thanks for writing. We are tracking the need to call activate in Gratefully, |
| Comment by Sreekarthik Ramalingam [ 30/Nov/20 ] |
|
Team,
Please change the subject of the ticket to : "Master keys in KMIP Server are neither activated before using them for Cryptographic operations, nor deactivated after a key rotation", as activation of the Master Keys gain more prominence than deactivation. |
| Comment by Sreekarthik Ramalingam [ 30/Nov/20 ] |
|
OASIS spec for KMIP clearly states that objects existing in Pre Active state should not be used for any Cryptographic purposes, but the KMIP Client in MongoDB Enterprise just performs a Create operation and does not perform Activate operation but uses the Symmetric Key in Pre Active state for encryption/decryption of data encryption keys.
|