Details
Medium Description
Hi,
Setup: https://confluence.percona.com/display/PSMDB/PSMDB+with+KMIP
Right now PSMDB operates with key name in KMIP rather than key ID as it's done in Enterprise.
PSMDB
rs1:PRIMARY> db._adminCommand({getCmdLineOpts: 1}).parsed.security.kmip.keyIdentifier
testR1
rs1:SECONDARY> db._adminCommand({getCmdLineOpts: 1}).parsed.security.kmip.keyIdentifier
testR2
rs1:SECONDARY> db._adminCommand({getCmdLineOpts: 1}).parsed.security.kmip.keyIdentifier
testR3
KMIP
> select * from managed_object_names;
1|1|testR1|1|1
2|2|testR3|1|1
3|3|testR2|1|1
> select * from managed_objects;
1|2|SymmetricKey|5OIuzDWw8TIqsTu5ab0fYz4MUrjr2+YV8Y+SJm65DtA=|2|default|0|1651758712|mongod
2|2|SymmetricKey|/6UgOvn2rbhHOYFg7C4YHByirVycEHeH8M+0fCgksEI=|2|default|0|1651758833|mongod
3|2|SymmetricKey|DAc/UffW4asfRNO0o2IBWcmr/qzATzal6zvz23EsObc=|2|default|0|1651758834|mongod
MongoDB Enterprise rs1:PRIMARY> db._adminCommand({getCmdLineOpts: 1}).parsed.security.kmip
{
"clientCertificateFile" : "/etc/mongodb/mongod.pem",
"serverCAFile" : "/etc/mongodb/ca.crt",
"serverName" : "127.0.0.1"
}
sqlite> select * from managed_object_names;
sqlite> select * from managed_objects;
1|2|SymmetricKey|5OIuzDWw8TIqsTu5ab0fYz4MUrjr2+YV8Y+SJm65DtA=|1|default|0|1651760586|mongod
2|2|SymmetricKey|/6UgOvn2rbhHOYFg7C4YHByirVycEHeH8M+0fCgksEI=|1|default|0|1651760588|mongod
3|2|SymmetricKey|DAc/UffW4asfRNO0o2IBWcmr/qzATzal6zvz23EsObc=|1|default|0|1651760589|mongod
Such approach introduces a butch of limitations and differences with enterprise:
1) no way to leave this option blank (no default value), by using ID it would be possible to generate new key unless kmipKeyIdentifier is specified
2) no way to use the same key for different nodes since after rotation the second node won't be able to start
3) no way to define new kmipKeyIdentifier during rotation as per documentation below as current value isn't saved in datadir https://www.mongodb.com/docs/manual/tutorial/rotate-encryption-key/
Please consider changing the current approach.
