[SERVER-75913] Address Upgrade concerns regarding KMIP Activate Created: 10/Apr/23 Updated: 29/Oct/23 Resolved: 16/May/23 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 6.0.7 |
| Type: | Task | Priority: | Critical - P2 |
| Reporter: | Shreyas Kalyan | Assignee: | Spencer Jackson |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||
| Assigned Teams: |
Server Security
|
||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||
| Sprint: | Security 2023-05-01, Security 2023-05-15, Security 2023-05-29 | ||||||||||||||||||||
| Participants: | |||||||||||||||||||||
| Case: | (copied to CRM) | ||||||||||||||||||||
| Description |
|
We should modify the behavior of the Encrypted Storage Engine in 6.0 to warn users that their keys have not been activated, rather than shut down the server if their keys have not been activated to create a transition for customers to activate their keys over the period of multiple releases. |
| Comments |
| Comment by Shreyas Kalyan [ 18/Apr/23 ] |
|
Hi molly.hanson@mongodb.com, we are currently working with our release team to get an understanding of the timeline of this feature. We will update you with a timeline when we have more clarity. The fix above does not activate the existing KMIP keys without performing special tasks. We do not plan on issuing a fix that modifies the state of existing customer keys, since that could cause implications in their other deployments if they are using that same key elsewhere. However, this fix would allow customers to rotate their KMIP key to a newly created key that is activated (the mongod would create this key and activate it). |
| Comment by Molly Hanson [ 18/Apr/23 ] |
|
hey team- thanks for your help here. I am moving this to critical after a conversation with our customer on 4/13. Due to some security requirements- Allstate is required to be on the most recent version of Mongo and currently, Allstate is blocked from upgrading prod environments to Mongo DB 6.0. They are requesting a fix to the binaries that activate the existing KMIP keys without performing any special tasks from the DBA side. Does the proposed solution above solve for this?
Given the security requirements, the customer is anxious for a timeline for this request. Can you help me understand this feature's timeline so I can communicate back to the customer ASAP? |