[SERVER-63626] Fix audit encryption header for KMS / KMIP Created: 14/Feb/22  Updated: 29/Oct/23  Resolved: 18/Mar/22

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 6.0.0-rc0

Type: Bug Priority: Major - P3
Reporter: Shreyas Kalyan Assignee: Shreyas Kalyan
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Backwards Compatibility: Fully Compatible
Operating System: ALL
Sprint: Security 2022-02-21, Security 2022-03-07, Security 2022-03-21
Participants:

 Description   

Currently the audit encryption header is missing two fields in the keystore ID struct - the KMIP server name and port. The mongo node also does not handle the case where cloud passes in an entire KMS "keystoreID" struct. We should make the mongo node compliant to the audit encryption design.



 Comments   
Comment by Githook User [ 17/Mar/22 ]

Author:

{'name': 'Shreyas Kalyan', 'email': 'shreyas.kalyan@10gen.com', 'username': 'shreyaskalyan'}

Message: SERVER-63626 Fix audit encryption header for KMS / KMIP
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/30bd0300c8ccd07b1bafa562664e6b450fd79027

Comment by Salman Baset [ 14/Mar/22 ]

Thanks, shreyas.kalyan. Can you please confirm the following:

1. local key available in Server today, and mongocli is testing against it
2. KMIP (servername and port) and KMS information will be made available in a pre-release of 6.0 to mongocli team, so that they can complete their development and testing.

Comment by Ciprian Tibulca [ 14/Mar/22 ]

Thank you shreyas.kalyan for re-prioritizing this and please let us know when the binary is available.

salman.baset is this changing the 5.3 announcement you'll release next week? It will not be included in the original release of 5.3, it will likely only be available in a future release of 5.3.

Comment by Salman Baset [ 14/Mar/22 ]

Good point, ciprian.tibulca. shreyas.kalyan thoughts?

Comment by Ciprian Tibulca [ 14/Mar/22 ]

salman.baset

We started the KMIP support work in APIx, but we won't be able to test and fully implement this task without valid encrypted audit log files (one using KMIP get method and one with encrypt method).

This means the plan of releasing the decryption support in CLIs might be delayed if we don't have these 2 samples files in their final format.

 

Also, this task has Fix Version/s: 6.0 Required, even if implemented, will it be included in 5.3 (so that the 5.3 announcement will be accurate by including log encryption with KMIP)?

Comment by Salman Baset [ 14/Mar/22 ]

Thanks, ciprian.tibulca. From audit log decryption perspective, what is the dependency on KMIP server and port name? cc shreyas.kalyan

Comment by Ciprian Tibulca [ 14/Mar/22 ]

salman.baset this tasks affects the 5.3 release announcement, if it will include audit leg encryption / decryption with localKey and KMIP.

Generated at Thu Feb 08 05:58:15 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.