[SERVER-63626] Fix audit encryption header for KMS / KMIP Created: 14/Feb/22 Updated: 29/Oct/23 Resolved: 18/Mar/22 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 6.0.0-rc0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Shreyas Kalyan | Assignee: | Shreyas Kalyan |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Backwards Compatibility: | Fully Compatible | ||||
| Operating System: | ALL | ||||
| Sprint: | Security 2022-02-21, Security 2022-03-07, Security 2022-03-21 | ||||
| Participants: | |||||
| Description |
|
Currently the audit encryption header is missing two fields in the keystore ID struct - the KMIP server name and port. The mongo node also does not handle the case where cloud passes in an entire KMS "keystoreID" struct. We should make the mongo node compliant to the audit encryption design. |
| Comments |
| Comment by Githook User [ 17/Mar/22 ] |
|
Author: {'name': 'Shreyas Kalyan', 'email': 'shreyas.kalyan@10gen.com', 'username': 'shreyaskalyan'}Message: |
| Comment by Salman Baset [ 14/Mar/22 ] |
|
Thanks, shreyas.kalyan. Can you please confirm the following: 1. local key available in Server today, and mongocli is testing against it |
| Comment by Ciprian Tibulca [ 14/Mar/22 ] |
|
Thank you shreyas.kalyan for re-prioritizing this and please let us know when the binary is available. salman.baset is this changing the 5.3 announcement you'll release next week? It will not be included in the original release of 5.3, it will likely only be available in a future release of 5.3. |
| Comment by Salman Baset [ 14/Mar/22 ] |
|
Good point, ciprian.tibulca. shreyas.kalyan thoughts? |
| Comment by Ciprian Tibulca [ 14/Mar/22 ] |
|
We started the KMIP support work in APIx, but we won't be able to test and fully implement this task without valid encrypted audit log files (one using KMIP get method and one with encrypt method). This means the plan of releasing the decryption support in CLIs might be delayed if we don't have these 2 samples files in their final format.
Also, this task has Fix Version/s: 6.0 Required, even if implemented, will it be included in 5.3 (so that the 5.3 announcement will be accurate by including log encryption with KMIP)? |
| Comment by Salman Baset [ 14/Mar/22 ] |
|
Thanks, ciprian.tibulca. From audit log decryption perspective, what is the dependency on KMIP server and port name? cc shreyas.kalyan |
| Comment by Ciprian Tibulca [ 14/Mar/22 ] |
|
salman.baset this tasks affects the 5.3 release announcement, if it will include audit leg encryption / decryption with localKey and KMIP. |