[SERVER-53056] Call KMIP Deactivate when rotating encryption keys Created: 24/Nov/20  Updated: 06/Dec/22

Status: Backlog
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Sreekarthik Ramalingam Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File Screenshot from 2020-11-30 20-30-02.png    
Assigned Teams:
Server Security
Operating System: ALL
Sprint: Security 2021-11-15, Security 2021-11-29
Participants:

 Description   

When a Master key is rotated by the MongoDB Enterprise using the command

mongod --enableEncryption --kmipRotateMasterKey \
 --kmipServerName <KMIP Server HostName> \
 --kmipServerCAFile ca.pem --kmipClientCertificateFile client.pem

the KMIP Client in it does not deactivate the master key which it was using prior to the rotation and the old key is left as a stale entry in the server.

Also, please confirm if it has to be removed ideally or whether its retained for any specific reason.

Added content from SERVER-53055:

only two KMIP operations listed below are performed by the KMIP Client in MongoDB Enterprise.

  • Create
  • Get


 Comments   
Comment by Sara Williamson [ 04/Jan/21 ]

Hi Sreekarthik,

Thank you for filing this ticket. We will consider it alongside SERVER-23607.

Comment by Eric Sedor [ 30/Nov/20 ]

Hi sreekarthik.ramalingam@appviewx.com,

Thanks for writing. We are tracking the need to call activate in SERVER-23607. Rather than close this ticket as a duplicate of that ticket, I'm going to preserve the original emphasis on deactivation in this ticket, and will pass this on to an appropriate team for consideration.

Gratefully,
Eric

Comment by Sreekarthik Ramalingam [ 30/Nov/20 ]

Team,

 

Please change the subject of the ticket to : "Master keys in KMIP Server are neither activated before using them for Cryptographic operations, nor deactivated after a key rotation", as activation of the Master Keys gain more prominence than deactivation.

Comment by Sreekarthik Ramalingam [ 30/Nov/20 ]

OASIS spec for KMIP clearly states that objects existing in Pre Active state should not be used for any Cryptographic purposes, but the KMIP Client in MongoDB Enterprise just performs a Create operation and does not perform Activate operation but uses the Symmetric Key in Pre Active state for encryption/decryption of data encryption keys.

Generated at Thu Feb 08 05:29:48 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.