[SERVER-75913] Address Upgrade concerns regarding KMIP Activate Created: 10/Apr/23  Updated: 29/Oct/23  Resolved: 16/May/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 6.0.7

Type: Task Priority: Critical - P2
Reporter: Shreyas Kalyan Assignee: Spencer Jackson
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by SERVER-76945 Expose PyKMIP activation to JSTests Closed
Documented
is documented by DOCS-16130 Investigate changes in SERVER-75913: ... Backlog
Related
Assigned Teams:
Server Security
Backwards Compatibility: Fully Compatible
Sprint: Security 2023-05-01, Security 2023-05-15, Security 2023-05-29
Participants:
Case:

 Description   

We should modify the behavior of the Encrypted Storage Engine in 6.0 to warn users that their keys have not been activated, rather than shut down the server if their keys have not been activated to create a transition for customers to activate their keys over the period of multiple releases.



 Comments   
Comment by Shreyas Kalyan [ 18/Apr/23 ]

Hi molly.hanson@mongodb.com, we are currently working with our release team to get an understanding of the timeline of this feature. We will update you with a timeline when we have more clarity.

The fix above does not activate the existing KMIP keys without performing special tasks. We do not plan on issuing a fix that modifies the state of existing customer keys, since that could cause implications in their other deployments if they are using that same key elsewhere. However, this fix would allow customers to rotate their KMIP key to a newly created key that is activated (the mongod would create this key and activate it).

Comment by Molly Hanson [ 18/Apr/23 ]

hey team- thanks for your help here.

I am moving this to critical after a conversation with our customer on 4/13.  Due to some security requirements- Allstate is required to be on the most recent version of Mongo and currently, Allstate is blocked from upgrading prod environments to Mongo DB 6.0. They are requesting a fix to the binaries that activate the existing KMIP keys without performing any special tasks from the DBA side. Does the proposed solution above solve for this? 

 

Given the security requirements, the customer is anxious for a timeline for this request. Can you help me understand this feature's timeline so I can communicate back to the customer ASAP?

cc gabriela.taylor@mongodb.com 

Generated at Thu Feb 08 06:31:23 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.